The Medical Informatics HIPAA Settlement: Implications for the Future of State Data Security Enforcement

By Alex Pearce and Sean Fernandes

Last month, the attorneys general (“AGs”) of sixteen states, including North Carolina, settled a multistate HIPAA enforcement lawsuit against Medical Informatics Engineering (MIE), a cloud-based electronic health records vendor.

The lawsuit was the first time that state AGs have joined together to pursue a HIPAA-related data breach case in federal court.

This post explores the case, State of Indiana v. Medical Informatics Engineering, and its potential implications for future state data security enforcement efforts.

The  Lawsuit and the Consent Judgment 

The breach in Medical Informatics took place during a roughly three-week period in May 2015, when hackers infiltrated and accessed MIE’s web-based electronic health records application and stole the electronic protected health information, or ePHI, of more than 3.9 million individuals.

The AGs sued MIE in December 2018 in an Indiana federal court, alleging that, as a business associate of its healthcare provider clients, MIE must comply with the HIPAA Security Rule.  MIE failed to do so, the AGs alleged, because it did not implement and maintain various technical and administrative safeguards that the Rule requires.

The complaint also alleged that MIE violated various state unfair and deceptive trade practices, data security, and data breach protection laws.

The parties settled the case before MIE filed a responsive pleading, agreeing to a Consent Judgment that requires MIE to make a $900,000 payment to the states and to comply with various injunctive provisions regarding its security practices.

The Consent Judgment is notable for at least two reasons.

Injunctive Provisions that Require Specific Security Measures: The LabMD Effect

First, the injunctive provisions are unusually prescriptive, and identify several specific security measures that MIE must implement, such as:

• multi-factor authentication for access to any web portal it manages in connection with its maintenance of ePHI,
• a security incident and event monitoring solution to detect and respond to malicious attacks;
• a data loss prevention technology to detect and prevent unauthorized data exfiltration; and
• annual training—documented by the company—for its employees on its information security policies.

That specificity reflects a shift away from the approach taken in some previous multistate data breach settlements, such as those with Hilton and Ashley Madison.  Those settlements required the defendants to implement security programs “reasonably designed” to protect personal information and/or to implement safeguards that were “appropriate” to the defendants’ operations and data, but largely left the choice of specific security measures to the defendants’ discretion

The reason for the shift may lie, in part, in last year’s LabMD v. Federal Trade Commission decision. In LabMD, the Eleventh Circuit vacated an FTC order that required the defendant to implement  a security program “reasonably designed” to protect personal information, on the ground that a court enforcing that order would have no reliable way to measure whether the defendant’s conduct met that standard.

The Medical Informatics Consent Judgment avoids that problem; its injunctive provisions include specific criteria to determine whether MIE is in compliance.

Beyond making it easier to judge MIE’s compliance, this aspect of the Consent Judgment also signals to other companies the specific measures the AGs would consider to be “reasonable” under similar circumstances.

State AGs: Leading the Data Security Enforcement Charge

Second, the Medical Informatics lawsuit and settlement exemplify the more aggressive role that state AGs are playing in data security enforcement—including here in North Carolina.  In particular, as the first multistate HIPAA enforcement action, the case suggests AGs are keen to wield the enforcement authority available to them under that statute—which overlaps with that of federal regulators.

To that end, take note that the monetary payment MIE agreed to make to the states dwarfs the $100,000 payment that it agreed to make in a parallel federal HIPAA enforcement action arising from the same incident.

The difference between those payments may be attributable—at least in part—to the AGs’ expanded enforcement toolkit.  While HIPAA caps the statutory damages available to each individual state at $25,000 per year, multistate actions allow AGs to increase the total penalty without any corresponding increase in the effort required to prosecute the case. State AGs can also increase the potential award through their ability to recover attorneys’ fees and to assert non-HIPAA claims, like the state-law claims asserted in Medical Informatics.

Conclusion

Businesses and their counsel should consider whether the security measures specified in Medical Informatics apply to their operations, lest they find themselves on the wrong side of the state AGs’ increasing interest in data security enforcement.