LANSING – Michigan Attorney General Dana Nessel announced today Michigan has joined a settlement with Medical Informatics Engineering, Inc. (MIE) in the nation’s first ever multi-state lawsuit involving a Health Insurance Portability and Accountability Act (HIPAA) related data breach. The breach affected 137,743 Michigan residents.
The settlement signed late last month resolves a lawsuit filed in 2018 by a coalition of 12 attorneys general in the U.S. District Court for the Northern District of Indiana South Bend Division. The suit charged that web-based electronic health records companies, Medical Informatics Engineering and NoMoreClipboard, LLC – collectively known as MIE – violated provisions of HIPAA as well as state claims, including unfair and deceptive practice laws, notice of data breach statutes, and state personal information protection acts. The settlement ultimately requires MIE to comply with numerous specifications identified including a payment of $900,000 to 16 states. Michigan will receive $25,283 after joining the settlement last month.
Between May 7, 2015, and May 26, 2015, hackers infiltrated a web application run by MIE, stealing electronic Protected Health Information (ePHI) of more than 3.9 million people – including names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, social security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.
“Nearly 4 million people were robbed of their personal information as a result of this data breach,” said Nessel. “Here in Michigan, it’s imperative we take the necessary steps to ensure the Attorney General’s Office is notified at the onset of a data breach that impacts our state’s residents. Data breaches are a major disruption to the lives of Michigan residents and this office will use every tool we have to protect and provide justice to Michigan consumers.”
Currently, Michigan law does not require the Attorney General’s office to be notified of data breaches. Since the Attorney General took office, she learned of three health information data breaches – involving Wolverine Solutions Group, Inmediata Health Group and most recently, American Medical Collection Agency – only after reports from affected consumers and media sources.
The Attorney General’s Consumer Protection division recommends affected individuals of any data breach – and all Michiganders – take these steps to further protect their information:
For more information on what to do during a data breach, review the Michigan Attorney General’s consumer alert on data breaches.
The Attorney General provides Consumer Alerts to inform the public of unfair, misleading, or deceptive business practices, and to provide information and guidance on other issues of concern. Consumer Alerts are not legal advice, legal authority, or a binding legal opinion from the Department of Attorney General.