Health Records Company to Pay $1 Million Settlement in Multi-State Suit
Indiana-based Medical Informatics Engineering has reached a $900,000 settlement in the country's first federal multistate lawsuit, stemming from its health data breach impacting 3.5 million patients in 2015, according to HealthITSecurity.
The settlement comes just days after the Department of Health and Human Services Office for Civil Rights announced its settlement with MIE, which included a $100,000 civil monetary penalty and a corrective action plan.
The multistate agreement stems from the 2018 lawsuit filed against MIE by the patients across 16 states who were impacted by the EMR service vendor’s 2015 hack. Officials discovered a “sophisticated cyberattack” on their servers in May 2015 that gave hackers access to the protected health information of millions of patients, including Social Security numbers and clinical data.
The investigation determined the breach began two weeks earlier, when a hacker used a compromised user ID and password to gain access to the sensitive information. It’s still one of the largest healthcare data breaches to date.
The proposed multistate consent judgement will resolve allegations that MIE violated HIPAA provisions, along with state personal information protection laws, notice of data breach statutes, and unfair and deceptive practice laws.
Under the multistate agreement, MIE is required to implement and maintain an information security program and a security incident and event monitoring security tool to detect and respond to malicious cyberattacks. Further, MIE must implement data loss prevention technology to prevent and detect unauthorized data exfiltration.
MIE is also required to create password policies and procedures to enforce the use of strong, complex passwords. The vendor will also need to implement multi-factor authentication procedures for remote-access processes on systems that store or permit access to electronic protected health information.
Lastly, MIE must implement controls during the creation of accounts that allow access to ePHI. The $900,000 financial penalty will be distributed to the 16 states involved in the lawsuit: Florida, North Carolina, Arizona, Arkansas, Wisconsin, Kansas, Kentucky, Louisiana, Michigan, Nebraska, Minnesota, West Virginia, Iowa, Indiana, Tennessee, and Connecticut.