Michigan Attorney General Dana Nessel announced last Thursday that Michigan has joined a settlement with Medical Informatics Engineering Inc. (MIE) in the nation's first ever multi-state lawsuit involving a Health Insurance Portability and Accountability Act (HIPAA) related data breach. The breach affected 137,743 Michigan residents.
The settlement signed late last month resolves a lawsuit filed in 2018 by a coalition of 12 attorneys general in the U.S. District Court for the Northern District of Indiana South Bend Division. The suit charged that web-based electronic health records companies, Medical Informatics Engineering and NoMoreClipboard, LLC collectively known as MIE violated provisions of HIPAA as well as state claims, including unfair and deceptive practice laws, notice of data breach statutes, and state personal information protection acts. The settlement ultimately requires MIE to comply with numerous specifications identified including a payment of $900,000 to 16 states. Michigan will receive $25,283 after joining the settlement last month.
Between May 7, 2015, and May 26, 2015, hackers infiltrated a web application run by MIE, stealing electronic Protected Health Information (ePHI) of more than 3.9 million people including names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, social security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors' names, medical conditions, and children's names and birth statistics.
"Nearly 4 million people were robbed of their personal information as a result of this data breach," said Nessel. "Here in Michigan, it's imperative we take the necessary steps to ensure the Attorney General's Office is notified at the onset of a data breach that impacts our state's residents. Data breaches are a major disruption to the lives of Michigan residents and this office will use every tool we have to protect and provide justice to Michigan consumers."
Currently, Michigan law does not require the Attorney General's office to be notified of data breaches. Since Nessel took office, she learned of three health information data breaches involving Wolverine Solutions Group, Inmediata Health Group and most recently, American Medical Collection Agency only after reports from affected consumers and media sources.
The Attorney General's Consumer Protection division recommends affected individuals of any data breach and all Michiganders take these steps to further protect their information:
- Find out what information was compromised and act accordingly.
- Pull your free credit report at com or by calling 877-322-8228.
- Put a fraud alert on your credit file. The Federal Trade Commission provides a checklist for this.
- Consider a security freeze on your credit file.
- Take advantage of any free services being offered as a result of the breach.
- Use two-factor authentication on your online accounts whenever it's available.
For additional information on what to do during a data breach, review the Michigan Attorney General's consumer alert on data breaches at www.michigan.gov/ documents/ag/Data_Breaches_final_608956_7.pdf.
Published: Mon, Jun 10, 2019
