A nonprofit publication of the Kentucky Center for Public Service Journalism

OAG reports health records company to pay state thousands over data breach lawsuit in federal court

The Office of the Attorney General (OAG) has reported that an alleged 2015 data breach that compromised the data of 69,000 Kentuckians, including 33,000 Social Security numbers, will result in the Commonwealth receiving thousands of dollars from an electronic health records company.


Kentucky’s general fund will receive more than $25,000 following the court’s approval of the consent judgment, which was negotiated by 16 attorneys general, and the companies involved in the breach – Medical Informatics Engineering, Inc. and NoMoreClipboard LLC (collectively “MIE”).

The lawsuit alleged that the companies failed to take reasonable steps to prevent the data breach, failed to honor their representations that patients’ health information would be protected and did not provide timely notice of the data breach.

The attorneys general claimed MIE’s actions surrounding the alleged breach violated provisions of the Health Insurance Portability and Accountability Act or HIPAA and state consumer protection laws.

The coalition first took action against the companies in 2018 when they filed the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.

“Today’s agreement will help ensure that the online personal and health information of thousands of Kentuckians and more than 3.9 million Americans is better protected,” said Attorney General Andy Beshear. “Thanks to the efforts of our bipartisan coalition these companies are taking action to correct the weaknesses that led to the exposure of Social Security numbers and various forms of medical information.”

As part of the agreement, MIE must comply with the applicable privacy and consumer protection laws, and agreed to certain data security requirements, including multifactor authentication, security incident response procedures, annual employee training and designating a privacy officer.

The company will pay $900,000 total to the participating states, in three equal, annual installments.

The OAG has fought to recover damages from companies that have compromised Kentuckians information, and he has taken steps to ensure the companies improve their data security and maintain the protections.

In January, Beshear announced the office was part of a multistate settlement that led the Neiman Marcus Group LLC to pay Kentucky’s general fund more than $17,000 after a 2013 data breach.

Over the past three and a half years, settlements and civil litigation from Beshear’s consumer protection efforts have returned over $16 million to the Commonwealth’s general fund.

These actions have yielded restitution that could exceed more than $95 million, representing amounts paid to consumers or amounts Kentuckians are eligible to receive, and the value of credits, student loan debt relief and warranty extensions made available to Kentuckians.

If Kentuckians’ personal information has been compromised, the OAG encourages them to contact his office and visit ag.ky.gov to receive a free identity theft tool kit.

The kit provides directions on how to apply for fraud alerts and seek credit freezes.

Office of the Attorney General

Related Posts

Leave a Comment