Beshear Files Lawsuit against Indiana Web-based Health Records Company for Alleged Data Breach Affecting 69,000 Kentuckians

Lawsuit first time AGs have jointly pursued a HIPAA-related data breach case in federal court

FRANKFORT, KY. (Dec. 3, 2018) – Attorney General Andy Beshear is suing a Fort Wayne, Indiana web-based health records company that allegedly sustained a data breach compromising the data of 69,000 Kentuckians, including more than 33,000 Social Security numbers.

The lawsuit alleges that Medical Informatics Engineering Inc. and NoMoreClipboard LLC –collectively “MIE” – violated provisions of the Health Insurance Portability and Accountability Act or HIPAA and state consumer protection laws.

The lawsuit, filed in U.S. District Court for the Northern District of Indiana, seeks to hold the companies accountable for their 2015 data breach that involved hackers gaining access to an MIE server, exposing personal information including names, Social Security numbers, dates of birth, health insurance and medical information of about 3.9 million people nationwide.

“We are claiming that the companies failed to take reasonable steps to prevent the data breach, failed to honor their representations that patients’ health information would be protected and did not provide timely notice of the data breach,” Beshear said. “With the increasing threat and ever-evolving nature of data security risks, companies must have strong safeguards in place and a vehicle to rapidly and effectively respond to protect Kentuckians and their information.” 

The lawsuit marks the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in federal court. The 12 state AGs represent Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

Beshear has called on Congress to stop federal legislation that would do away with state laws providing safeguards for Kentuckians during many data breaches.

The Data Acquisition and Technology Accountability and Security Act was a draft bill that aimed to chip away at Kentucky’s consumer protection laws that provide Kentuckians data security protections, Beshear said.

Beshear said the proposed federal legislation would severely affect the ability of states to obtain consumer data security protections in settlements with companies.

For instance, Beshear’s office joined multistate settlements in 2016, 2017 and 2018 against Uber, Target, Adobe and Nationwide Mutual Insurance Company, requiring those companies to maintain data security protections affecting thousands of Kentuckians.

On Beshear’s website, Kentuckians may review consumer protection tips including what to do if their personal information has been compromised.