Generic 'Tester' Accounts Allowed Records Hack Triggering $1M in OCR, State AG Payments

By Theresa Defino

A large but short-lived 2015 breach of a medical records firm has resulted in two settlements totaling $1 million, demonstrating again that covered entities (CEs) and business associates (BAs) can expect both state and federal enforcement actions when data are exposed.

In a reversal of a more common situation, Medical Informatics Engineering (MIE) of Fort Wayne, Indiana, settled with the HHS Office for Civil Rights (OCR) for a far smaller amount ($100,000) than with a state agency. In this case, however, there were a total of 16 states involved—a first.

MIE settled with them for $900,000, according to a consent judgment and order entered May 23 into the U.S. District Court for the Northern District of Indiana, South Bend Division. On the same day, OCR announced its settlement. MIE is not completely out of the woods: a class action suit is still ongoing but may be settled soon, the company CEO told RPP.

Of the developments in this case, the state settlement is the most worthy of study and shows that the collective actions by state attorneys general pose new risk to CEs and BAs. The settlement also obligates MIE, a BA, to far more detailed and stringent requirements than are found in OCR’s two-year corrective action plan (CAP) that could help serve as best practices for health care compliance officials. In addition, the suit contains more specifics about the breach and how MIE handled it.

The states’ suit was filed in December 2018, led by Indiana Attorney General Curtis Hill and described by Hill’s office as “the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in federal court.”

According to the settlement, MIE will pay the $900,000 in equal payments over three years. It did not admit to wrongdoing. In response to questions submitted by RPP, Douglas Horner, MIE’s founder and CEO, calls the breach and resulting activities a “rollercoaster” that has resulted in valuable lessons worth sharing (“After Settlements, MIE CEO Shares Lessons Learned,” RPP 19, no. 6).

In addition to Indiana, the states involved in the suit are Arizona, Arkansas, Connecticut, Florida, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin. The attorney generals in these states allege that in addition to HIPAA, the breach violated state deceptive trade practices acts, state personal information protection acts, and state breach notification acts.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings