A dozen states including Minnesota successfully sued Indiana-based Medical Informatics Engineering Inc. for a breach on 2015 which resulted in a computer with 3.9 million individuals being infiltrated. The lawsuit alleges that hackers obtained a variety of information including names, telephone numbers, lab results and diagnoses.
The attorneys general said the companies failed to take adequate and reasonable measures to ensure computer systems were protected, failed to disclose material facts regarding the inadequacy of the computer systems and failed to provide timely and adequate notice of the incident.
"Defendants' actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal HIPAA statutes," the lawsuit says. "Plaintiffs seek to enforce said laws by bringing this action."
A fine of $900,000 was levied as a result.
This more coordinated form of HIPAA enforcement means far larger fines are possible. And more resources will be needed to deal with numerous attorneys general. Medical facilities such as hospitals, doctors, dentists, emergency medical centers, etc., need to step up their focus on cybersecurity. We have put together an easy to read list of security basics every company meader should know wabout and are available to consult and assist if you have any questions.
In a related story we broke the following news of 326,000 patients who were impacted in a UCONN Health phishing attack. Several employee email accounts were hacked in the security incident, breaching personal and medical data; 1,500 patients saw Social Security numbers breached. This was the result of a very common and preventable phishing attack.