The payout is pocket change for everyone whose data was compromised. But a multi-state cash settlement, including 40,000 Tennessee residents, represents a new era in enforcement of the nation's health care privacy laws.
Tennessee's attorney general joined 15 others in going after Indiana-based Medical Informatics Engineering. It's the first time states have banded together to pursue a violation of HIPAA laws, which protect medical records. States were allowed to start pursuing patient data violations only in the last decade under the HITECH Act of 2009.
"I think they're going to start getting more aggressive," says Mark Johnson, leader of cybersecurity consulting at Brentwood-based LBMC.
The states are splitting $900,000 and the company is paying $100,000 to the Office of Civil Rights in the Department of Health and Human Services.
But regulatory attorney Nesrin Tift of Bass Berry & Sims says rather than who is doing the enforcement, who is being fined may be even more relevant to Nashville's growing health care IT industry.
"This is in fact a violation of HIPAA enforced against a business associate — not a hospital, not a physician, not a health plan, but the vendors that serve those types of health care entities," she says.
Medical Informatics Engineering sells a platform for sharing patient data, but it is not a health care provider.
Hackers breached an electronic health record system run by the company, and over the course of more than two weeks, stole information on nearly 4 million patients. That included confidential data like individuals' medical conditions, their lab results and even the names of their doctors.
"We have since made significant investments in additional safeguards and security measures to enhance our security posture including security personnel, policies, procedures, controls and monitoring/prevention tools," MIE founder Doug Horner said in a statement.