Twelve state attorneys general recently joined forces to file the first-ever multistate data breach lawsuit. In 2015, Medical Informatics Engineering and its subsidiary, NoMoreClipboard (collectively “MIE”), announced that its systems had been hacked and the information of about 3.9 million patients had been compromised. The stolen information included not only individual names, addresses, and Social Security numbers, but also health information such as patient diagnoses, lab results, and medical conditions.
The lawsuit alleges that MIE “failed to take adequate and reasonable measures to ensure their computer systems were protected.” Hackers obtained the data from 11 different healthcare providers and 44 different radiology clinics that all used an app offered by MIE called “WebChart.”
The WebChart app allowed medical providers to input information via computer, which was then managed by MIE servers. MIE is accused of failing to establish security measures necessary to protect these servers. For example, the clinics used general accounts with easy-to-guess and low security usernames and passwords. These general accounts were later used to launch an attack against the server that provided the hackers with valuable information about the system’s overall structure and vulnerabilities.
While other consumer protection areas have seen coordinated AG activity, this lawsuit stands as the first multistate action in the privacy arena. No longer on the sidelines, the lawsuit signals that attorneys general are willing to take strong action against businesses that fail to implement reasonable measures to protect consumer data. With the risk of security breaches greater than ever, businesses should consider routinely auditing their data security systems to ensure they are adequately safeguarding customer and employee personal information.
* Ali Najaf contributed to this post.