The ink was barely dry on patient notification letters when Medical Informatics Engineering Inc. was named the defendant in a lawsuit alleging that negligence contributed to the local company’s May data breach.
James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne.
The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit and potentially receive a cash award.
Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers in a timely manner.
The Fort Wayne company publicly disclosed the cyberattack, which it says happened May 26, on June 10. The lawsuit alleges that the breach might have happened as early as May 7.
Reached late Thursday for comment, Jeff Donnell, an executive with the company, said by email, "We are aware of the suit, and we are currently reviewing it. Our primary focus at this time is on our response to those affected by this cyber attack."
The Journal Gazette obtained the legal paperwork Thursday.
In an interview Wednesday morning, Donnell reviewed the timeline.
Monitoring systems on MIE’s computer network alerted staff to an unusually high load of activity on one computer server at 5 a.m. May 26, he said. Information technology staff shut down that server and notified company executives, as set out in the company’s incident response plan.
MIE executives alerted the FBI’s cyber squad the same day, Donnell said. While it was clear that the attack was sophisticated, the scope of the breach was not clear, he said.
Within 48 hours, the firm brought in cybercrime specialists, a law firm and an independent forensics company, recommended by its cyber insurance provider.
"These are experts who do this every single day," Donnell said. "We worked with them to do the right thing at the right time."
MIE consulted state and federal guidelines that specify how soon consumers must be notified, he said. It also notified the Federal Trade Commission, the Department of Health and Human Services and the offices of numerous state attorneys general.
After notifying client companies June 2, the firm made a public statement on June 10. But MIE waited to mail the almost 3.1 million notification letters to consumers until officials knew which individual patients were affected and to what degree each person’s private information was compromised.
MIE officials didn’t want patients who have visited more than one health care provider to receive multiple letters that might contradict each other on what information was left vulnerable, Donnell said.
For that reason, he said, the company waited until the analysis was completed and compiled before making individual notifications.
Letters started going out on July 17; the last ones were mailed July 25, Donnell said.
Young’s lawsuit is seeking payment of costs directly related to misuse of information taken in the theft and compensation for "the stress, nuisance, and annoyance of dealing with all issues resulting from the MIE data breach."
Tom Markle, an employee benefits attorney and partner with local firm Barrett & McNagny, said Young doesn’t stand to receive more money than millions of others affected by the data breach just because his might be the first filing to reach the court.
"There is no advantage to a plaintiff filing a lawsuit like this (as soon as possible)," he said.
Irwin B. Levin, who represents Young, is managing partner of Indianapolis law firm Cohen & Malad LLP. In the document, Levin refers to himself as being "experienced in class-action and complex litigation."
The lawsuit requests a jury trial. Although the amount of damages being sought isn’t specified, the lawsuit says the plaintiff expects a total award that exceeds $5 million before interest and other costs.