Attorney General Herbert H. Slatery III announced recently that a U.S. district court judge has signed a consent judgment negotiated by 16 states’ attorneys general and Medical Informatics Engineering Inc.

This case was the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.

The lawsuit, led by Indiana, was filed in December of 2018 against a web-based electronic health records company based in Fort Wayne, IN. The company allegedly sustained a data breach compromising the data of more than 3.9 million people. The data of 43,373 Tennesseans, including 14,871 Social Security Numbers, was compromised.

With the signing of the consent judgment, the 16 states will receive $900,000 with Tennessee receiving $21,238.

The lawsuit resolved allegations that Medical Informatics Engineering Inc. and NoMoreClipboard LLC (collectively “MIE”) violated provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) as well as state claims including Unfair and Deceptive Practice laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.

Between May 7, 2015, and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE.

The hackers stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals – including individual names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially dates of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.

“Protected Health Information (PHI) is extremely sensitive data and Tennesseans deserve to know that it is adequately protected,” said Attorney General Herbert H. Slatery III. “This office appreciates the work of Indiana Attorney General Curtis Hill in leading the states on this matter.”

Medical Informatics Engineering Inc. also agreed to injunctive provisions aimed at preventing similar breaches in the future.

Indiana, Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, West Virginia, and Wisconsin are also named in the settlement, which can be viewed at https://www.tn.gov/content/dam/tn/attorneygeneral/documents/pr/2019/pr19-18-judgment.pdf.