An Indiana company and its subsidiary have agreed to pay $900,000 and take steps to better secure patient data, the state attorney general said, to settle a lawsuit brought last year by attorneys general in 16 states, including Minnesota.
The state’s share of the financial settlement is $30,000, according to a spokesman for Minnesota Attorney General Keith Ellison, who announced the agreement Thursday.
First filed in December, the lawsuit alleged that the Indiana company failed to adequately protect health and personal information for 3.9 million individuals, including about 8,000 in Minnesota, during a data-security incident in 2015.
“Plaintiffs and defendants have agreed to the court’s entry of this final consent judgment and order without trial or adjudication of any issue of fact or law, and without admission of any facts alleged or liability of any kind,” wrote Judge Robert L. Miller of the U.S. District Court for the Northern District of Indiana in an order dated May 28. “The parties have reached an agreement hereby resolving the issues in dispute without the need for further court action.”
In a news release, Ellison identified the companies as Medical Informatics Engineering Inc., and its subsidiary NoMoreClipboards LLC. The attorney general said in the release: “MIE violated Minnesotans’ trust by failing to meet its obligations to safeguard patients’ health and personal data.”
The attorneys general alleged that hackers exposed basic data-security flaws at the company and stole protected health information. Ellison said in a news release that the settlement calls on the company to implement a data security program, maintain a monitoring program to detect malicious acts and accept five years of independent, third-party monitoring.
A separate consumer class-action lawsuit is seeking direct relief for consumers, according to the news release. A spokesman for Ellison said the $30,000 goes into the state’s general fund.