Attorneys general from a dozen states, including Minnesota, joined Monday in filing a lawsuit alleging that several related companies in Indiana failed to adequately protect health information for 3.9 million individuals during a data security incident in 2015.
Over several weeks in May 2015, hackers infiltrated and accessed the "inadequately protected computer system" of the companies, according to the lawsuit, which alleges the companies fostered a security framework that allowed the incident to occur.
Hackers accessed and "exfiltrated" the protected health information of more than 8,000 people in Minnesota, the lawsuit says, including more than 5,000 people here who also had their Social Security numbers exposed.
"Patients expect health companies to protect the privacy of their electronic health records," Minnesota Attorney General Lori Swanson said in a news release. "This company did not do so."
Of the four companies or subsidiaries named in the lawsuit, Swanson's news release focused on a firm called Medical Informatics Engineering Inc. A spokesman for the company could not be reached for comment.
According to Swanson, Medical Informatics Engineering is a privately held corporation that was founded in 1995 and sells electronic health record services, including web-based software, to smaller medical providers as well as employee assistance programs.
During May 2015, hackers infiltrated and accessed the companies' computer system, which stored protected health information of 3.9 million individuals, according to the lawsuit filed in the U.S. District Court for the northern district of Indiana. The lawsuit alleges that hackers obtained a variety of information including names, telephone numbers, lab results and diagnoses.
The attorneys general allege the companies failed to take adequate and reasonable measures to ensure computer systems were protected, failed to disclose material facts regarding the inadequacy of the computer systems and failed to provide timely and adequate notice of the incident.
"Defendants' actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal HIPAA statutes," the lawsuit says. "Plaintiffs seek to enforce said laws by bringing this action."
The lawsuit says Minnesota is seeking unspecified statutory damages and civil penalties.