Press Release
Attorney General Ellison announces settlement in data breach affecting 8,000 Minnesotans
Sixteen states settle claims related to 2015 data breach in first-ever multi-state lawsuit filed under HIPAA
May 30, 2019 (SAINT PAUL) — Attorney General Ellison settled a lawsuit today against Medical Informatics Engineering, Inc. (“MIE”), an Indiana-based company that was alleged to have failed to protect the health and personal data of more than 8,000 Minnesota patients. Minnesota was joined by 15 other states in settling the case. Under the settlement, MIE, and its subsidiary NoMoreClipboard, LLC, will pay $900,000 and commit to a variety of steps to safeguard patients’ information going forward.
The case was the nation’s first-ever multi-state lawsuit that brought claims under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
“Minnesotans should be able to trust that their most sensitive personal information is safe from exploitation and their personal dignity is protected,” Attorney General Ellison said. “MIE violated Minnesotans’ trust by failing to meet its obligations to safeguard patients’ health and personal data. My office will continue to protect Minnesota consumers and their personal data by pursuing companies that mishandle such sensitive information.”
The MIE data breach happened between May 7–26, 2015. The State of Minnesota and 15 other states filed a lawsuit against MIE for various HIPAA violations on December 4, 2018. In the suit, the State alleged that MIE failed to implement basic industry-accepted data security measures to protect its computer systems, and that hackers exposed these basic flaws, ultimately stealing the electronic Protected Health (ePHI) and personally identifying information (PII) of over 8,000 Minnesotans. The stolen information included individual names, telephone numbers, mailing addresses, spousal information, email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.
The State of Minnesota further alleged that after discovering this breach, MIE waited nearly two months before it began notifying patients that their sensitive information had been exposed, in violation of state law that requires companies to begin the notification process in the most expedient time possible.
In the settlement, MIE has committed to implementing and maintaining a data security program, stop engaging in other practices that contributed to the breach, maintaining a monitoring program to detect and respond to malicious acts, and five years of independent, third-party monitoring and auditing of their data-security policies, among other commitments.
Minnesota was joined in the case and settlement by the states of Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin. The settlement was reached in U.S. District Court for the Northern District of Indiana, where Minnesota and the states brought the suit against MIE, an Indiana company. There is a separate consumer class-action lawsuit in the same court that seeks direct relief for consumers.
