Fort Wayne-based Medical Informatics Engineering Inc. failed to secure their computer systems, resulting in a data breach, which compromised the data of more than 3.9 million people, a 12-state lawsuit filed by Indiana Attorney General Curtis Hill alleges.
“We will always act to protect Hoosier consumers in cases such as this one,” Hill said in a statement. “We make it our standard practices to pursue all penalties and remedies available under the law on behalf of our citizens, and we hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest ethics and utmost diligence.”
Other states involved in the litigation are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. Indiana's portion was filed in the U.S. District Court for the Northern District of Indiana.
Founded in 1995, Medical Informatics Engineering is a web-based electronic health records company.
The lawsuit, which Hill's office announced Monday, states that Medical Informatics Engineering Inc. “failed to take reasonably available steps to prevent the breaches,” resulting in violations of the Health Insurance Portability and Accountability Act.
The incident in question occurred between May 7 and May 26, 2015, when hackers gained access to WebChart, an application run by Medical Informatics Engineering.
In each of the 12 states listed on the lawsuit, the company is accused of violating HIPAA safeguards, as well as various other state codes. In Indiana's portion of the complaint, the state claims that Medical Informatics Engineering “committed an unfair or deceptive act by representing that it maintained appropriate administrative and technical safeguards” to protect clients' information. The state also claims the company failed to implement reasonable procedures to protect personal information.
News of the lawsuit comes just weeks after Medical Informatics Engineering announced it had signed a letter of intent with Electric Works developer RTM Ventures to locate some of its future operations at the new development south of downtown Fort Wayne.
It's unclear whether the lawsuit might interfere with plan. Attempts to reach Medical Informatics Engineering and RTM's spokesman for comment Monday were unsuccessful.
Records accessed and stolen include patients' names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, health information and health insurance policy information.
“Defendants failed to implement basic industry-accepted data security measures to protect individuals' health information from unauthorized access,” the lawsuit states. “Defendants set up a generic 'tester' account called 'testing' with a shared password of 'testing.' In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access.”
According to the lawsuit, the company did not put in place an active security system to alert employees to possible hacking attempts. Additionally, the lawsuit contends that the company did not encrypt sensitive personal information within its own computer system, “a protection that, had it been employed, would have rendered the data unusable.”
“The significance of the absence of these tools cannot be overstated, as two of the IP addresses used to access defendants' databases originated from Germany,” the lawsuit states. “An active security operations system should have identified remote system access by an unfamiliar IP address and alerted a system administrator to investigate.”
This is not the first lawsuit filed against MIE for the breach, which was disclosed publicly soon after it happened. The ink was barely dry on patient notification letters mailed in July when the company was named the defendant in a lawsuit alleging that negligence contributed to the data breach.
James Young, a patient whose medical information was compromised, filed suit in U.S. District Court in Fort Wayne. The Indianapolis man was seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit and potentially receive a cash award.