eDiscovery Daily Blog

First Ever Multi-State Data Breach Lawsuit Targets Healthcare Provider: Cybersecurity Trends

Just as the number of data breaches continues to rise, the number of lawsuits over data breaches continues to rise as well.  Chances are that your data has been hacked at some point from at least one company with which you do business.  But this lawsuit is unique.

According to The Expert Institute (12 US States Join Forces to File First Ever Multi-State Data Breach Lawsuit, written by Victoria Negron), an Indiana court will serve as the venue for the first-ever multistate data breach lawsuit, as the attorneys general of twelve US states join forces against a healthcare provider and its subsidiary.

The lawsuit alleges that Fort Wayne-based Medical Informatics Engineering and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. The stolen information included not only identifying details, such as names and Social Security numbers, but also healthcare information, including diagnoses and lab results.

Patients whose data was stolen in the hack had visited 11 different healthcare providers and 44 different radiology clinics, all of whom shared one common feature: they used the WebChart app offered by Medical Informatics Engineering and NoMoreClipboard. Most of the affected patients lived in Indiana, but several others were residents of different states.

In response to the hack, the attorneys general from Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin have jointly filed a cross-state lawsuit alleging multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit claims that the defendants failed to implement “basic industry-accepted data security measures,” leading to the breach.

According to the article, the use of “tester” accounts (with easily-guessed default usernames and passwords) enabled hackers to launch a SQL injection attack (which is execution of malicious SQL statements to control a web application’s database server), giving them useful information that eventually led to the access of medical data.  Allegedly, Digital Defense, a company specializing in network security solutions, tested the software in 2014 and 2015 and reported “high risk” in the way the system was designed both times, yet the lawsuit alleges that the defendants did not make changes after Digital Defense’s warnings.

Amazingly, not all states allow patients whose personal health information (PHI) is breached to bring a private right of action regarding the breach (hopefully that changes someday), so pursuing legislation at the state level enables the attorneys general named in the complaint to more directly address HIPAA violations and the alleged misconduct that may have caused them.  Of course, chances are that any breach takes months to discover, so it’s not just about the breach, it’s also about discovering the breach too.

So, what do you think?  Will we see more groups of states go after companies who fail to protect sensitive consumer data?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.