Twelve state attorneys general have brought suit against two medical Information Technology companies. The AGs allege that the companies, Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches. Those breaches impacting close to four million patients. This case is the first coordinated multistate attorney general Health Insurance Portability and Accountability Act related action. The AGs are accusing the companies of not taking adequate steps to protect information, and failing to timely notify patients of known breaches.

Specifically, in the complaint the AGs claim that that the companies failed to have an active security monitoring and alert system, and that they did not encrypt PHI within their systems. The AGs also allege that no assessments of the potential risks relating to PHI was done, nor was HIPAA training conducted. Finally, the complaint alleges that the companies did not have or adhere to reasonable and appropriate standards for protecting patient information. This case evidences a trend of states enforcing consumer and data privacy laws.

Putting it Into Practice: This complaint demonstrates the expectations regulators have regarding the types of security measures companies should have in place for protecting PHI. Multistate litigation enforcing HIPAA violations could significantly increase the potential penalties applicable to companies that do not have the proper safeguards in place.