A federal district court has approved a consent judgment and order in litigation between several state attorneys general and a web-based electronic health records company involving a data breach of the protected health information (PHI) of 3.9 million individuals (State of Indiana v. Med. Informatics Eng'g, Inc., 3:18-cv-969 (N.D. Ind. May 23, 2019)). The judgment in this litigation requires the company to:

The company, a HIPAA business associate (BA) and third-party service provider, furnishes electronic medical record services to HIPAA covered entities (CEs). The company recently entered into a resolution agreement with the Department of Health and Human Services (HHS) to settle potential violations of HIPAA's Privacy Rule and Security Rule resulting from the same incident. Under the HHS settlement agreement, the company was required to pay HHS $100,000 and comply with a two-year corrective action plan (CAP) (see Legal Update, HHS Addresses HIPAA Business Associate Compliance in Direct Liability Guidance: BA's Failure to Assess Risks to ePHI Leads to $100,000 HIPAA Settlement and Practice Note, HIPAA Enforcement: Settlement Agreements).

In May 2015, the company discovered suspicious activity on one of its servers. Using compromised login information, hackers had gained access to the personal information of 3.9 million individuals, including the individuals' names, addresses, birth dates, Social Security numbers, email addresses, and hashed passwords. The hackers also obtained the individuals' medical information – including lab results, health insurance policy information, doctors' names, medical conditions, and disability codes. The attorneys general for 16 states sued the company for violations of HIPAA and state deceptive trade practices, personal information protection acts (PIPAs), and breach notification laws.

The court's order requires the company to comply with all of HIPAA's administrative and technical safeguards and implementation specifications (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Security Rule). The order also requires the company to:

According to a press release issued by the Tennessee Attorney's General office (one of the plaintiffs in the litigation) this case was the United States' "first-ever multistate lawsuit involving a HIPAA-related data breach." Under the Health Information Technology for Clinical and Economic Health (HITECH) Act, state attorneys general are expressly authorized to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules to:

(Pub. L. No. 111-5, § 13410(e) (2009).)

Damages in enforcement actions by state attorneys general are limited by statute, but a district court may award costs of the action and reasonable attorney's fees to a state. (The court's order in this litigation permits part of the settlement to be used for costs and attorney's fees.)

Given the prevalence of HIPAA enforcement activity by HHS, we wouldn't be surprised if there are additional enforcement actions by state attorneys general in the future (see Practice Note, HIPAA Enforcement: Settlement Agreements). (The HITECH Act requires some amount of coordination between the states and HHS in these enforcement actions. For example, the states generally must provide HHS prior written notice of enforcement actions that it undertakes, including a copy of related complaints.) The possibility of increased HIPAA enforcement by state attorneys general raises the stakes for HIPAA noncompliance – an area that is already the subject of multi-million dollar settlement agreements (see Legal Update, Anthem's $16 Million HIPAA Settlement Is Largest in History).