SOUTH BEND, Indiana — West Virginia and 15 other states have reached a settlement regarding potentially exposed medical records of nearly 4 million people.
West Virginia Attorney General Patrick Morrisey's office announced the settlement June 3 regarding a May 2015 data breach involving health records company Medical Informatics Engineering Inc. and NoMoreClipboard LLC. The AGs claim hackers infiltrated WebChart, an MIE-run web application, and stole electronic health information.
Morrisey's office says the case is the nation’s first multistate lawsuit involving a data breach related to the Health Insurance Portability and Accountability Act. West Virginia will get $21,187 from the settlement.
The lawsuit resolved allegations that MIE violated provisions of HIPAA, as well as state claims including unfair and deceptive practice laws.
“Businesses must take adequate and reasonable measures to ensure the protection of their computer systems,” Morrisey said in a statement. “Any business that fails to safeguard patients’ personal health information can cause significant harm to consumers across our state and nation.”
The settlement was approved late last month by a federal judge in late May. It requires the defendants to pay member states $900,000, comply with applicable privacy and security laws, take additional steps to protect personal information and hire a third party to analyze and identify any security risks.
Indiana led the lawsuit and was joined, in addition to West Virginia, by Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee and Wisconsin.
U.S. District Court for the Northern District of Indiana case number 3:18-cv-969-RLM-MGG