USDC IN/ND Case 3:18-Cv-00969-RLM-MGG Document 57 Filed 05/23/19 Page 1 of 83

Home , Indiana Attorney General, Josh Kaul

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 1 of 83

1 Douglas S. Swetnam (IN State Bar #15860-49) Section Chief – Data Privacy & ID Theft Unit 2 Office of Attorney General Curtis Hill Jr. 3 302 W. Washington St., 5th Floor Indianapolis, IN 46204 4 Email: [email protected] Telephone: (317) 232-6294 5 6 Michael A. Eades (IN State Bar #31015-49) Deputy Attorney General 7 Office of Attorney General Curtis Hill, Jr. 302 W. Washington St., 5th Floor 8 Indianapolis, IN 46204 9 Email: [email protected] Telephone: (317) 234-6681 10 John C. Gray (Pro Hac Vice) 11 Assistant Attorney General 12 Office of Attorney General Mark Brnovich 2005 N. Central Ave. 13 Phoenix, AZ 85004 Email: [email protected] 14 Telephone: (602) 542-7753 15 Attorney for Plaintiff State of Arizona

16 Peggy Johnson (Pro Hac Vice) Assistant Attorney General 17 Office of Attorney General Leslie Rutledge 18 323 Center St., Suite 200 Little Rock, AR 72201 19 Email: [email protected] Telephone: (501) 682-8062 20 Attorney for Plaintiff State of Arkansas 21 Michele Lucan (Pro Hac Vice) 22 Assistant Attorney General Office of Attorney General William Tong 23 110 Sherman Street 24 Hartford, CT 06105 Email: [email protected] 25 Telephone: (860) 808-5440 Attorney for Plaintiff State of Connecticut 26 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 1 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 2 of 83

1 Patrice Malloy (Pro Hac Vice) Bureau Chief, Multistate and Privacy Bureau 2 Florida Office of the Attorney General 3 110 SE 6th Street Fort Lauderdale, FL 33301 4 (954) 712-4669 [email protected] 5 6 Diane Oates (Pro Hac Vice) Assistant Attorney General 7 Florida Office of the Attorney General 110 Southeast 6th Street 8 Fort Lauderdale, FL 33301 9 Email: [email protected] Telephone: (954) 712-4603 10 Attorneys for Plaintiff State of Florida

11 William Pearson (Pro Hac Vice) 12 Assistant Attorney General Office of Attorney General Tom Miller 13 1305 E. Walnut, 2nd Floor Des Moines, IA 50319 14 Email: [email protected] 15 Telephone: (515) 281-3731 Attorney for Plaintiff State of Iowa 16 Sarah Dietz (Pro Hac Vice) 17 Assistant Attorney General 18 Office of Attorney General Derek Schmidt 120 S.W. 10th Ave., 2nd Floor 19 Topeka, KS 66612 Email: [email protected] 20 Telephone: (785) 368-6204 21 Attorney for Plaintiff State of Kansas

22 Kevin R. Winstead (Pro Hac Vice) Assistant Attorney General 23 Office of Attorney General Andy Beshear 24 1024 Capital Center Drive Frankfort, KY 40601 25 Email: [email protected] Telephone: (502) 696-5389 26 Attorney for Plaintiff Commonwealth of Kentucky 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 2 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 3 of 83

1 Alberto A. De Puy (Pro Hac Vice) Assistant Attorney General 2 Office of Attorney General Jeff Landry 3 1885 N. Third St. Baton Rouge, LA 70802 4 Email: [email protected] Telephone: (225) 326-6471 5 6 L. Christopher Styron (Pro Hac Vice) Assistant Attorney General 7 Office of Attorney General Jeff Landry 1885 N. Third St. 8 Baton Rouge, LA 70802 9 Email: [email protected] Telephone: (225) 326-6400 10 Attorneys for Plaintiff State of Louisiana

11 Kathy Fitzgerald (Pro Hac Vice) 12 Assistant Attorney General Department of Attorney General Dana Nessel 13 Corporate Oversight Division 525 W. Ottawa St., 5th Floor 14 Lansing, MI 48933 15 Email: [email protected] Telephone: (517) 335-7632 16 Attorney for Plaintiff State of Michigan

17 Jason T. Pleggenkuhle (Pro Hac Vice) 18 Assistant Attorney General Office of Attorney General Keith Ellison 19 Bremer Tower, Suite 1200 445 Minnesota St. 20 St. Paul, MN 55101-2130 21 Email: [email protected] Telephone: (651) 757-1147 22 Attorney for Plaintiff State of Minnesota

23 Daniel J. Birdsall (Pro Hac Vice) 24 Assistant Attorneys General Office of Attorney General Doug Peterson 25 2115 State Capitol PO Box 98920 26 Lincoln, NE 68509 27 Email: [email protected] Telephone: (402) 471-1279 28 Attorney for Plaintiff State of Nebraska

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 3 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 4 of 83

1 Kimberley A. D’Arruda (Pro Hac Vice) Special Deputy Attorney General 2 North Carolina Department of Justice 3 Office of Attorney General Joshua H. Stein P.O. Box 629 4 Raleigh, NC 27602-0629 Email: [email protected] 5 Telephone: (919) 716-6013 6 Attorney for Plaintiff State of North Carolina

7 Carolyn U. Smith (Pro Hac Vice) Senior Assistant Attorney General 8 Office of the Attorney General and Reporter Herbert H. Slatery III 9 P.O. Box 20207 Nashville, TN 37202-0207 10 Email: [email protected] Telephone: (615) 532-2578 11 Attorney for Plaintiff State of Tennessee 12 Tanya L. Godfrey (Pro Hac Vice) 13 Assistant Attorney General Office of the West Virginia Attorney General Patrick Morrisey 14 269 Aikens Center 15 Martinsburg, WV 25404 Email: [email protected] 16 Telephone: (304) 267-0239 Attorney for Plaintiff State of West Virginia 17 18 R. Duane Harlow (Pro Hac Vice) Assistant Attorney General 19 Director, Consumer Protection and Antitrust Unit Wisconsin Department of Justice 20 Office of Attorney General Josh Kaul 21 17 W. Main St., P.O. Box 7857 Madison, WI 53707-7857 22 Email: [email protected] Telephone: (608) 266-2950 23 Attorney for Plaintiff State of Wisconsin 24

26 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 4 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 5 of 83

1 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF INDIANA 2 SOUTH BEND DIVISION 3 The States of Arizona; Arkansas; Connecticut; Case No.:3:18-cv-969-RLM-MGG 4 Florida; Indiana; Iowa; Kansas; Kentucky; Louisiana; Michigan; Minnesota; Nebraska; 5 North Carolina; Tennessee; West Virginia; and 6 Wisconsin,

7 Plaintiffs;

8 v.

9 Medical Informatics Engineering, Inc. d/b/a 10 Enterprise Health, LLC and K& L Holdings, and NoMoreClipboard, LLC , 11 Defendants. 12 13 AMENDED COMPLAINT 14 Plaintiffs, the states of Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, 15 Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West 16

17 Virginia, and Wisconsin (collectively “Plaintiff States”), for their complaint against Defendants

18 Medical Informatics Engineering, Inc., (“MIE”) operating as Enterprise Health, LLC and K&L

19 Holdings, and NoMoreClipboard, LLC, (“NMC” together with MIE “Defendants”), allege: 20 SUMMARY OF THE CASE 21

22 1. Intermittently between May 7, 2015 and May 26, 2015, unauthorized persons 23 (“hackers”) infiltrated and accessed the inadequately protected computer systems of Defendants. 24 During this time, the hackers were able to access and exfiltrate the electronic Protected Health 25

26 Information (“ePHI”), as defined by 45 C.F.R. § 160.103, of 3.9 million individuals, whose PHI

27 was contained in an electronic medical record stored in Defendants’ computer systems. Such

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 5 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 6 of 83

1 personal information obtained by the hackers included names, telephone numbers, mailing

2 addresses, usernames, hashed passwords, security questions and answers, spousal information 3 (names and potentially dates of birth), email addresses, dates of birth, and Social Security 4 Numbers. The health information obtained by the hackers included lab results, health insurance 5

6 policy information, diagnosis, disability codes, doctors’ names, medical conditions, and

7 children’s name and birth statistics.

8 2. In fostering a security framework that allowed such an incident to occur, 9 Defendants failed to take adequate and reasonable measures to ensure their computer systems 10 were protected, failed to take reasonably available steps to prevent the breaches, failed to 11

12 disclose material facts regarding the inadequacy of their computer systems and security

13 procedures to properly safeguard patients’ personal health information, failed to honor their

14 promises and representations that patients’ personal health information would be protected, and 15 failed to provide timely and adequate notice of the incident, which caused significant harm to 16 consumers across the United States. 17

18 3. Defendants’ actions resulted in the violation of the state consumer protection, data

19 breach, personal information protection laws and federal HIPAA statutes, as more fully outlined

20 below. Plaintiffs seek to enforce said laws by bringing this action. 21 4. This action is brought, in their representative and individual capacities as 22 provided by state and federal law, by the attorneys general of Arizona, Arkansas, Connecticut, 23

24 Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North

25 Carolina, Tennessee, West Virginia, and Wisconsin (collectively the “Attorneys General”). The

26 plaintiffs identified in the paragraph are also referred to collectively as the “Plaintiff States.” 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 6 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 7 of 83

1 5. The Plaintiff States bring this action pursuant to consumer protection, business

2 regulation, and/or data security oversight authority conferred on their attorneys general, 3 secretaries of state, and/or state agencies by state law, federal law, and/or pursuant to parens 4 patriae and/or common law authority. These state laws authorize the Plaintiff States to seek 5

6 temporary, preliminary, and permanent injunctive relief, civil penalties, attorneys’ fees,

7 expenses, costs, and such other relief to which the Plaintiff States may be entitled.

8 6. This action is also brought by the Attorneys General of the Plaintiff States 9 pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the 10 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, 42 U.S.C. § 11

12 1302(a), and the Department of Health and Human Services Regulations, 45 C.F.R. § 160 et

13 seq. (collectively, “HIPAA”), which authorize attorneys general to initiate federal district court

14 proceedings and seek to enjoin violations of, and enforce compliance with HIPAA, to obtain 15 damages, restitution, and other compensation, and to obtain such further and other relief as the 16 court may deem appropriate. 17

18 JURISDICTION AND VENUE 19

20 7. This Court has jurisdiction over the federal law claims pursuant to 42 U.S.C.

21 § 1320d-5(d), and 28 U.S.C. §§ 1331 and 1337(a). This Court has supplemental jurisdiction over

22 the subject matter of the state law claims pursuant to 28 U.S.C. § 1367. 23 8. Venue in this District is proper pursuant to 28 U.S.C. §§ 1391(b) and (c). 24 9. The Attorneys General provided prior written notice of this action to the Secretary 25

26 of HHS, as required by 42 U.S.C. § 1320d-5(d)(4). The Attorneys General have also provided a

27 copy of this complaint to the Secretary of HHS. Id.

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 7 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 8 of 83

1 10. At all times relevant to this matter, Defendants were engaged in trade and

2 commerce affecting consumers in the States insofar as Defendants provided electronic health 3 records services to health care providers in the States. Defendants also maintained a website for 4 patients and client health care providers in the States. 5

6 PLAINTIFFS 7

8 11. The Attorneys General are charged with, among other things, enforcement of the

9 Deceptive Trade Practices Acts, the Personal Information Protection Acts, and the Breach

10 Notification Acts. The Attorneys General, pursuant to 42 U.S.C. § 1320d-5(d), may also enforce 11 HIPAA. 12

13 12. The Attorneys General are the chief legal officers for their respective states and

14 commonwealths. The Plaintiff States bring this action pursuant to consumer protection, business 15 regulation, and/or data security oversight authority conferred on their attorneys general, 16 secretaries of state, and/or state agencies by state law, federal law, and/or pursuant to parens 17 patriae and/or common law authority. 18

19 13. Plaintiff Attorneys General institute this action for injunctive relief, statutory 20 damages, attorney fees, and the costs of this action against Defendants for violations of the 21 Health Insurance Portability and Accountability Act of 1996, as amended by the Health 22

23 Information Technology for Economic and Clinical Health (“HITECH”) Act, 42 U.S.C. §

24 1302(a), and the Department of Health and Human Services Regulations, 45 C.F.R. § 160 et

25 seq. (collectively, “HIPAA”), and supplemental state law claims under Plaintiffs’ respective 26 Unfair, Deceptive, or Abusive Acts or Practices (“UDAP”) statutes, Disclosure of Data Breach 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 8 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 9 of 83

1 Statutes (also referred to as “Breach Notification Acts”), and Personal Information Protection

2 Statutes (also referred to as “PIPA”), specifically: 3 State Deceptive Acts Data Breach PIPA 4 Arizona: Ariz. Rev. Stat. § 44- 1521 et seq. 5 Arkansas: Ark. Code § 4-88-101 Ark. Code § 4-110-105 Ark. Code § 4- 6 et seq. 110-101 et seq. Connecticut: Conn. Gen. Stat. § 42- Conn. Gen. Stat. § 36a- Conn. Gen. Stat. § 7 110b et seq. 701b 42-471 8 Florida: Chapter 501, Part II, Section 501.171, Florida Section 501.171, Florida Statutes Statutes Florida Statutes 9 Indiana: Ind. Code §§ 24-5-0.5- Ind. Code § 24- 4(C), and 24-5-0.5-4(G) 4.9-3-3.5(f) 10 Iowa: Iowa Code § 714.16 Iowa Code § 715c.2 11 Kansas: Kan. Stat. §§ 50-632, Kan. Stat. § 50-7a02 Kan. Stat. § 50- 12 and 50-636 6139b Kentucky: Ky. Rev. Stat. §§ 13 367.110-.300, and 14 367.990 Louisiana: La. Rev. Stat. § La. Rev. Stat. 51:3071 et 15 51:1401 et seq. seq. Michigan: Mich. Comp. Laws § Mich. Comp. Laws § 16 445.901 et seq . 445.72(13) 17 Minnesota: Minn. Stat. §§ 325D.43 Minn. Stat. § 325E.61 et seq. ; Minn. Stat. §§ 18 325F.68 et seq. 19 Nebraska: Neb. Rev. Stat. §§ 59- Neb. Rev. Stat. § 87-806 1602; 59-1608, 59- 20 1614, and 87-302 North N.C. Gen. Stat. § 75- N.C. Gen. Stat. § 75-65 N.C. Gen. Stat. § 21 Carolina 1.1, et seq . 75-60, et seq . 22 Tennessee: Tenn. Code Ann. § 47- Tenn. Cod Ann. § 47-18- Tenn. Code Ann. § 23 18-101 et seq . 2107 47-18-2110

24 West W.Va. Code §§ 46A-1- 25 Virginia: 101 et seq ., 46A-7-108, and 46A-7-111 26 Wisconsin: Wis. Stat. §§ 93.20, Wis. Stat. § 134.98 Wis. Stat. §§ 27 100.18, and 100.26 146.82 and 146.84(2)(b) 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 9 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 10 of 83

1 DEFENDANTS

2 14. Defendant MIE is a citizen of the State of Indiana. MIE is a corporation that is 3

4 incorporated in Indiana and has its principal place of business in Indiana at 6302 Constitution

5 Drive, Fort Wayne, IN 46804.

6 15. Defendant NMC is a citizen of the State of Indiana. NMC is a wholly-owned 7 subsidiary of MIE, is organized in Indiana, and has its principal place of business in Indiana at 8 6312 Constitution Drive, Fort Wayne, IN 46804. 9

10 16. Prior to January 6, 2016, MIE also operated under the name of Enterprise Health.

11 Enterprise Health was a division of MIE. On January 6, 2016, MIE formed Enterprise Health,

12 LLC, which shares founders, officers, employees, offices, and servers with MIE and NMC. 13 17. K&L Holdings, LLC is affiliated with MIE and has the same founders, officers, 14 and occupies the same offices as MIE, NMC, and Enterprise Health. K&L Holdings, LLC owns 15

16 the property that serves as the headquarters for K&L Holdings, LLC, MIE, NMC, and Enterprise

17 Health.

18 FACTUAL ALLEGATIONS 19

20 18. MIE is a third-party provider that licenses a web-based electronic health record 21 application, known as WebChart, to healthcare providers. MIE, through its subsidiary NMC, also 22 provides patient portal and personal health records services to healthcare providers that enable 23

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 10 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 11 of 83

1 patients to access and manage their electronic health records. Through its WebChart application,

2 MIE provides electronic health services to physicians and medical facilities nationwide. 3 19. At all relevant times, MIE’s customers consisted of healthcare providers who 4 were Covered Entities within the meaning of HIPAA. 45 C.F.R. § 160.103. 5

6 20. At all relevant times, MIE and NMC were Business Associates within the

7 meaning of HIPAA. 45 C.F.R. § 160.103.

8 21. As Business Associates, Defendants are required to comply with the HIPAA 9 federal standards that govern the security of ePHI, including Security Rules. See 45 C.F.R. § 10 164.302. 11

12 22. The Security Rule generally prohibits Covered Entities and Business Associates,

13 such as Defendants, from unlawfully disclosing ePHI. The Security Rule requires Covered

14 Entities and Business Associates to employ appropriate Administrative, Physical, and Technical 15 Safeguards to maintain the security and integrity of ePHI. See 45 C.F.R. § 164.302. 16 23. At all relevant times, no written agreement existed between MIE and its 17

18 subsidiary NMC to appropriately safeguard the information created, received, maintained, or

19 transmitted by the entities.

20 24. Between May 7, 2015 and May 26, 2015, hackers infiltrated and accessed the 21 computer systems of Defendants. 22 25. The hackers stole the ePHI of 3.9 million individuals whose health information 23

24 was contained in an electronic medical records database stored on Defendants’ computer

25 systems.

26 26. On June 10, 2015, MIE announced a “data security compromise that has affected 27 the security of some personal and protected health information relating to certain clients and 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 11 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 12 of 83

1 individuals who have used a Medical Informatics Engineering electronic health record.” Medical

2 Informatics Engineering Updates Notice to Individuals of Data Security Compromise, MIE (July 3 23, 2015), http://www.mieweb.com/notice. 4 27. On June 20, 2015, NMC announced “a data security compromise that has affected 5

6 the security of some personal and protected health information relating to individuals who have

7 used a NoMoreClipboard personal health record or patient portal.” NoMoreClipboard Notice to

8 Individuals of a Data Security Compromise , NoMoreClipboard (July 23, 2015), 9 https://www.nomoreclipboard.com/notice. 10 28. Defendants admitted that unauthorized access to their network began on May 7, 11

12 2015, but they did not discover the suspicious activity until May 26, 2015.

13 29. After discovering the intrusion, Defendants “began an investigation to identify

14 and remediate any identified security vulnerability,” hired “a team of third-party experts to 15 investigate the attack and enhance data security and protection,” and “reported this incident to 16 law enforcement including the FBI Cyber Squad.” MIE Notice , http://www.mieweb.com/notice; 17

18 NoMoreClipboard Notice , https://www.nomoreclipboard.com/notice.

19 30. MIE admitted that the following information was accessed by the hackers: “an

20 individual’s name, telephone number, mailing address, username, hashed password, security 21 question and answer, spousal information (name and potentially date of birth), email address, 22 date of birth, Social Security number, lab results, health insurance policy information, diagnosis, 23

24 disability code, doctor’s name, medical conditions, and child’s name and birth statistics.” MIE

25 Notice , http://www.mieweb.com/notice.

26 31. NMC admitted that the following information was accessed by the hackers: “an 27 individuals’ [sic] name, home address, Social Security number, username, hashed password, 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 12 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 13 of 83

1 spousal information (name and potentially date of birth), security question and answer, email

2 address, date of birth, health information, and health insurance policy information.” 3 NoMoreClipboard Notice , https://www.nomoreclipboard.com/notice. 4 32. Defendants began notifying affected individuals by mail on July 17, 2015. This 5

6 was two months after the initial breach date of May 7, 2015, and over 50 days after the breach

7 discovery date of May 26, 2015.

8 33. Defendants did not conclude mailing notification letters until December 2015, six 9 months after the breach discovery date of May 26, 2015. 10 34. Defendants’ security framework was deficient in several respects. Defendants 11

12 failed to implement basic industry-accepted data security measures to protect individual’s health

13 information from unauthorized access. Specifically, Defendants set up a generic “tester” account

14 which could be accessed by using a shared password called “tester” and a second account called 15 “testing” with a shared password of “testing”. In addition to being easily guessed, these generic 16 accounts did not require a unique user identification and password in order to gain remote access. 17

18 In a formal penetration test conducted by Digital Defense in January 2015, these accounts were

19 identified as high risk, yet Defendants continued to employ the use of these accounts and, in fact,

20 acknowledged establishing the generic accounts at the request of one of its’ health care provider 21 clients so that employees did not have to log-in with a unique user identification and password. 22 35. Defendants did not have appropriate security safeguards or controls in place to 23

24 prevent exploitation of vulnerabilities within their system. The “tester” account did not have

25 privileged access but did allow the attacker to submit a continuous string of queries, known as a

26 SQL injection attack, throughout the database as an authorized user. The queries returned error 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 13 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 14 of 83

1 messages that gave the intruder hints as to why the entry was incorrect, providing valuable

2 insight into the database structure. 3 36. The vulnerability to an SQL injection attack was identified as a high risk during a 4 penetration test performed by Digital Defense in 2014. Digital Defense recommended that 5

6 Defendant “take appropriate measures to implement the use of parameterized queries, or ensure

7 the sanitization of user input.” The steps taken by Defendants to address this vulnerability were

8 insufficient to mitigate SQL vulnerabilities involved in this incident. 9 37. The intruder used information gained from the SQL error messages to access the 10 “checkout” account, which had administrative privileges. The “checkout” account was used to 11

12 access and exfiltrate more than 1.1 million patient records from Defendants’ databases. The SQL

13 error exploit was also used to obtain a second privileged account called “dcarlson”. The

14 “dcarlson” account was used to access and exfiltrate more than 565,000 additional records that 15 were stored in a database containing NMC patient records. 16 38. On May 25, 2015, the attacker initiated a second method of attack by inserting 17

18 malware called a “c99” cell on Defendants’ system. This malware caused a massive number of

19 records to be extracted from Defendants’ databases. The huge document dump slowed down

20 network performance to such an extent that it triggered a network alarm to the system 21 administrator. The system administrator investigated the event and terminated the malware and 22 data exfiltration on May 26, 2015. 23

24 39. Defendant’s post-breach response was inadequate and ineffective. While the c99

25 attack was being investigated, the attacker continued to extract patient records on May 26 and

26 May 28, using the privileged “checkout” credentials acquired through use of the SQL queries. 27 On those two days, a total of 326,000 patient records were accessed. 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 14 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 15 of 83

1 40. The breach was not successfully contained until May 29, when a security

2 contractor hired by Defendant identified suspicious IP addresses which led the contractor to 3 uncover the principal SQL attack method. 4 41. Defendants failed to implement and maintain an active security monitoring and 5

6 alert system to detect and alert on anomalous conditions such as data exfiltration, abnormal

7 administrator activities, and remote system access by unfamiliar or foreign IP addresses. The

8 significance of the absence of these security tools cannot be overstated, as two of the IP 9 addresses used to access Defendants’ databases originated from Germany. An active security 10 operations system should have identified remote system access by an unfamiliar IP address and 11

12 alerted a system administrator to investigate.

13 42. Defendants’ privacy policy, in effect at the time of the breach, stated: “Medical

14 Informatics Engineering uses encryption and authentication tools (password and user 15 identification) to protect your personal information…[O]ur employees are aware that certain 16 information provided by our customers is confidential and is to be protected.” Yet Defendants 17

18 failed to encrypt the sensitive personal information and ePHI within MIE’s computer systems, a

19 protection that, had it been employed, would have rendered the data unusable.

20 43. Defendants’ information security policies were deficient and poorly documented. 21 For example, the incident response plan provided by Defendants was incomplete. There are 22 several questions posed in the document that indicate it is still in a coordination or draft stage. 23

24 Indeed, there is no documented evidence or checklist to indicate that Defendants followed their

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 15 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 16 of 83

1 own incident response plan. Finally, there is no documentation that Defendants conducted

2 HIPAA Security and Awareness training for 2013, 2014, or 2015, prior to the breach. 3 44. Defendants’ actions caused harm to members of the Plaintiff States. Specifically, 4 the victims are subject to emotional distress due to their personal information and ePHI being in 5

6 the hands of unknown and untrusted individuals, in addition to the increased potential for harm

7 that could result from instances of fraud.

8 DEFENDANTS’ LAW VIOLATIONS 9

10 Count I 11 Arizona: Violation of HIPAA Safeguards

12 45. Plaintiff, Arizona, incorporates the factual allegations in paragraphs 1 through 44

13 of this Complaint. 14 46. Defendants’ conduct constitutes violations of Administrative Safeguards, 15 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically: 16

17 a. MIE failed to review and modify security measures needed to continue the

18 provision of reasonable and appropriate protection of ePHI in accordance with the

19 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 20 164.306(e). 21 b. MIE failed to conduct an accurate and thorough assessment of the 22

23 potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI

24 that it maintained in accordance with the implementation specifications of the Security

25 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A). 26 c. MIE failed to implement security measures sufficient to reduce risks and 27 vulnerabilities to a reasonable and appropriate level in accordance with the 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 16 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 17 of 83

1 implementation specifications of the Security Rule, in violation of 45 C.F.R. §

2 164.308(a)(1)(ii)(B). 3 d. MIE failed to implement procedures to regularly review records of 4 information system activity, such as audit logs, access reports, and Security Incident 5

6 tracking reports in accordance with the implementation specifications of the Security

7 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

8 e. MIE failed to implement policies and procedures that, based upon its 9 access authorization policies, establish, document, review, and modify a user’s right of 10 access to a workstation, transaction, program, or process that includes ePHI in 11

12 accordance with 45 C.F.R. § 164.308(a)(4)(ii)(C).

13 f. MIE failed to implement policies and procedures to address Security

14 Incidents, including suspected Security Incidents, to mitigate, to the extent practicable, 15 harmful effects of security incidents known to MIE, or to document such Incidents and 16 their outcomes in accordance with the implementation specifications of the Security Rule, 17

18 45 C.F.R. § 164.308(a)(6)(ii).

19 g. MIE failed to assign a unique name and/or number for identifying and

20 tracking user identity in accordance with the implementation specifications of the 21 Security Rule. 45 C.F.R. § 164.312(a)(2)(i). 22 h. MIE failed to implement a mechanism to encrypt and decrypt ePHI, in 23

24 accordance with the implementation specifications of the Security Rule. 45 C.F.R. §

25 164.312(a)(2)(iv).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 17 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 18 of 83

1 i. MIE failed to implement hardware, software, and/or procedural

2 mechanisms that record and examine activity in information systems that contain or use 3 ePHI, in violation of 45 C.F.R. § 164.312(b). 4 j. MIE failed to implement procedures to verify that a person or entity 5

6 seeking access to ePHI is the one claimed, in violation of 45 C.F.R. § 164.312(c)(2)(d).

7 k. MIE failed to adhere to the Minimum Necessary Standard when using or

8 disclosing ePHI, in violation of 45 C.F.R. § 164.502(b)(1). 9 47. Plaintiff, Arizona, is entitled to certain statutory damages pursuant to 42 U.S.C. 10 1320d-5(d)(2). 11

12 Count II Arizona: Violation of Ariz. Rev. Stat. § 44-1522 13 48. Plaintiff, Arizona, incorporates the factual allegations in paragraphs 1 through 44 14

15 of this Complaint.

16 49. The Defendants’ conduct constitutes a violation of Ariz. Rev. Stat. § 44-1522.

17 50. The information security failings outlined in the preceding paragraphs constitute 18 unfair or deceptive acts or practices in violation of Ariz. Rev. Stat. § 44-1522. 19 51. For example, MIE committed unfair or deceptive acts or practices by 20

21 representing, in connection with the advertisement and sale of its services, that it maintained

22 appropriate Administrative and Technical Safeguards to protect patients’ ePHI and other

23 appropriate measures to protect consumers’ sensitive information, when such was not the case. 24 52. Defendants’ security failings were also likely to cause substantial injury to 25 consumers, including identity theft, and such injury was not reasonably avoidable by the 26

27 consumers themselves, particularly in light of Defendants’ failure to notify consumers in the

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 18 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 19 of 83

1 most expedient manner possible, nor would such injury be outweighed by any countervailing

2 benefits to consumers or competition. 3 53. Defendants’ conduct was also willful, as, among other things, they knew or 4 should have known that their unfair or deceptive acts or practices were unlawful. 5

6 54. Plaintiff, Arizona, is entitled to injunctive relief, restitution to all affected persons,

7 and disgorgement of Defendants’ profits or revenues obtained by means of its unlawful conduct

8 pursuant to Ariz. Rev. Stat. § 44-1528; civil penalties pursuant to Ariz. Rev. Stat. § 44-1531; and 9 attorney fees and costs pursuant to Ariz. Rev. Stat. § 44-1534. 10 Count III 11 Arkansas: Violation of HIPAA Safeguards 12 55. Plaintiff, Arkansas, incorporates the factual allegations in paragraphs 1 through 44 13 of this Complaint. 14

15 56. Defendants’ conduct constitutes violations of Administrative Safeguards,

16 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically:

17 a. MIE failed to review and modify security measures needed to continue the 18 provision of reasonable and appropriate protection of ePHI in accordance with the 19 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 20

21 164.306(e).

22 b. MIE failed to conduct an accurate and thorough assessment of the

23 potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 24 that it maintained in accordance with the implementation specifications of the Security 25 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A). 26

27 c. MIE failed to implement security measures sufficient to reduce risks and

28 vulnerabilities to a reasonable and appropriate level in accordance with the

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 19 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 20 of 83

1 implementation specifications of the Security Rule, in violation of 45 C.F.R. §

2 164.308(a)(1)(ii)(B). 3 d. MIE failed to implement procedures to regularly review records of 4 information system activity, such as audit logs, access reports, and Security Incident 5

6 tracking reports in accordance with the implementation specifications of the Security

7 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

12 accordance with 45 C.F.R. § 164.308(a)(4)(ii)(C).

13 f. MIE failed to implement policies and procedures to address Security

18 45 C.F.R. § 164.308(a)(6)(ii).

19 g. MIE failed to assign a unique name and/or number for identifying and

24 accordance with the implementation specifications of the Security Rule. 45 C.F.R. §

25 164.312(a)(2)(iv).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 20 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 21 of 83

1 i. MIE failed to implement hardware, software, and/or procedural

6 seeking access to ePHI is the one claimed, in violation of 45 C.F.R. § 164.312(c)(2)(d).

7 k. MIE failed to adhere to the Minimum Necessary Standard when using or

8 disclosing ePHI, in violation of 45 C.F.R. § 164.502(b)(1). 9 57. Plaintiff, Arkansas, is entitled to certain statutory damages pursuant to 42 U.S.C. 10 1320d-5(d)(2). 11

12 Count IV Arkansas: Deceptive Acts in Violation of Ark. § 4-88-101 13 58. Plaintiff, Arkansas, incorporates the factual allegations in paragraphs 1 through 44 14

15 of this Complaint.

16 59. The Defendants’ conduct constitutes a violation of Ark. Code § 4-88-108.

17 60. The information security failings outlined in paragraphs 30 through 40 constitute 18 unfair or deceptive acts in violation of Ark. Code § 4-88-108. 19 61. MIE committed an unfair or deceptive act by representing that it maintained 20

21 appropriate Administrative and Technical Safeguards to protect patients’ ePHI, and other

22 appropriate measures to protect consumers’ sensitive information, when such was not the case, in

23 violation of Ark. Code Ann. § 4-88-107(b) and Ark. Code Ann. § 4-88-108. 24 62. Plaintiff, Arkansas, is entitled to civil penalties pursuant to Ark. Code § 4-88- 25 113(a)(3), attorney’s fees and costs pursuant to Ark. Code § 4-88-113(e), and injunctive relief 26

27 pursuant to Ark. Code § 4-88-113(a)(1).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 21 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 22 of 83

1 Count V Arkansas: Data Breach Violation of Ark. Code § 4-110-105 2 3 63. Plaintiff, Arkansas, incorporates the factual allegations in paragraphs 1 through 44

4 of this Complaint.

5 64. MIE failed to notify affected individuals or others of the Data Breach as required 6 by Ark. Code § 4-110-105. 7 65. As alleged in paragraphs 32 and 33, Defendants began notifying affected 8

9 individuals on July 17, 2015 and did not conclude until December 2015. The effective notice

10 date range after the breach was discovered was between 52 days and six months.

11 66. By waiting between 52 days and six months to notify affected individuals, 12 Defendants violated Ark. Code § 4-110-105. 13 67. Plaintiff, Arkansas, is entitled to civil penalties pursuant to Ark. Code §§ 4-110- 14

15 108, 4-88-113(a)(3), attorney fees and costs pursuant to Ark. Code §§ 4-110-108, 4-88-113(e),

16 and injunctive relief pursuant to Ark. Code §§ 4-110-108, 4-88-113(a)(1).

17 Count VI 18 Arkansas: Failure to Implement Reasonable Procedures to Protect Personal Information in Violation of Ark. Code § 4-110-104(b) 19 68. Plaintiff, Arkansas, incorporates the factual allegations in paragraphs 1 through 44 20

21 of this Complaint.

22 69. Defendants failed to implement and maintain reasonable procedures to protect and

23 safeguard the unlawful disclosure of personal information in violation of Ark. Code § 4-110- 24 104(b). 25 70. The information security failings outlined in paragraphs 30 through 40 constitute 26

27 unreasonable safeguard procedures in violation of Ark. Code § 4-110-104(b).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 22 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 23 of 83

1 71. Plaintiff, Arkansas, is entitled to civil penalties pursuant to Ark. Code §§ 4-110-

2 108, 4-88-113(a)(3), attorney fees and costs pursuant to Ark. Code §§ 4-110-108, 4-88-113(e), 3 and injunctive relief pursuant to Ark. Code §§ 4-110-108, 4-88-113(a)(1). 4 Count VII 5 Connecticut: Violation of HIPAA Safeguards 6 72. Plaintiff, Connecticut, incorporates the factual allegations in paragraphs 1 through 7 44 of this Complaint. 8

9 73. Defendants’ conduct constitutes violations of Administrative Safeguards,

10 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically:

11 a. MIE failed to review and modify security measures needed to continue the 12 provision of reasonable and appropriate protection of ePHI in accordance with the 13 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 14

15 164.306(e).

16 b. MIE failed to conduct an accurate and thorough assessment of the

17 potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 18 that it maintained in accordance with the implementation specifications of the Security 19 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A). 20

21 c. MIE failed to implement security measures sufficient to reduce risks and

22 vulnerabilities to a reasonable and appropriate level in accordance with the

23 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 24 164.308(a)(1)(ii)(B). 25 d. MIE failed to implement procedures to regularly review records of 26

27 information system activity, such as audit logs, access reports, and Security Incident

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 23 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 24 of 83

1 tracking reports in accordance with the implementation specifications of the Security

2 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D). 3 e. MIE failed to implement policies and procedures that, based upon its 4 access authorization policies, establish, document, review, and modify a user’s right of 5

6 access to a workstation, transaction, program, or process that includes ePHI in

7 accordance with 45 C.F.R. § 164.308(a)(4)(ii)(C).

8 f. MIE failed to implement policies and procedures to address Security 9 Incidents, including suspected Security Incidents, to mitigate, to the extent practicable, 10 harmful effects of security incidents known to MIE, or to document such Incidents and 11

12 their outcomes in accordance with the implementation specifications of the Security Rule,

13 45 C.F.R. § 164.308(a)(6)(ii).

14 g. MIE failed to assign a unique name and/or number for identifying and 15 tracking user identity in accordance with the implementation specifications of the 16 Security Rule. 45 C.F.R. § 164.312(a)(2)(i). 17

18 h. MIE failed to implement a mechanism to encrypt and decrypt ePHI, in

19 accordance with the implementation specifications of the Security Rule. 45 C.F.R. §

20 164.312(a)(2)(iv). 21 i. MIE failed to implement hardware, software, and/or procedural 22 mechanisms that record and examine activity in information systems that contain or use 23

24 ePHI, in violation of 45 C.F.R. § 164.312(b).

25 j. MIE failed to implement procedures to verify that a person or entity

26 seeking access to ePHI is the one claimed, in violation of 45 C.F.R. § 164.312(c)(2)(d). 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 24 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 25 of 83

1 k. MIE failed to adhere to the Minimum Necessary Standard when using or

2 disclosing ePHI, in violation of 45 C.F.R. § 164.502(b)(1). 3 74. Plaintiff, Connecticut, is entitled to certain statutory damages pursuant to 42 4 U.S.C. 1320d-5(d)(2). 5

6 Count VIII Connecticut: Deceptive Acts in Violation of Conn. Gen. Stat. § 42-110b 7 75. Plaintiff, Connecticut, incorporates factual allegations in paragraphs 1 through 44 8

9 of this Complaint.

10 76. The Defendants’ conduct constitutes a violation of Conn. Gen. Stat. § 42-110b.

11 77. The information security failings outlined in paragraphs 30 through 40 constitute 12 unfair or deceptive acts in violation of Conn. Gen. Stat. § 42-110b. 13 78. MIE committed an unfair or deceptive act by representing that it maintained 14

15 appropriate Administrative and Technical Safeguards to protect patients’ ePHI, and other

16 appropriate measures to protect consumers’ sensitive information, when such was not the case, in

17 violation of Conn. Gen. Stat. § 42-110b. That misrepresentation was reasonably interpreted by 18 consumers, affecting their decisions to provide sensitive information to MIE. 19 79. MIE knew or should have known that its acts and practices alleged herein were 20

21 unfair and deceptive, and were thus willful violations of Conn. Gen. Stat. §42-110b. MIE is

22 therefore liable for civil penalties of up to $5,000 per willful violation pursuant to General

23 Statutes §42-110o(b). 24 80. Plaintiff, Connecticut, is entitled to civil penalties pursuant to Conn. Gen. Stat. § 25 42-110o, attorney fees and costs pursuant to Conn. Gen. Stat. § 42-110m, and injunctive relief 26

27 pursuant to Conn. Gen. Stat. § 42-110m.

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 25 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 26 of 83

1 Count IX Connecticut: Data Breach Violation of Conn. Gen. Stat. § 36a-701b 2 3 81. Plaintiff, Connecticut, incorporates factual allegations in paragraphs 1 through 44

4 of this Complaint.

5 82. MIE failed to notify affected individuals or others of the Data Breach as required 6 by Conn. Gen. Stat. § 36a-701b. 7 83. As alleged in paragraphs 32 and 33, Defendants began notifying affected 8

9 individuals on July 17, 2015 and did not conclude until December 2015. The effective notice

10 date range after the breach was discovered was between 52 days and six months.

11 84. By waiting between 52 days and six months to notify affected individuals, 12 Defendants violated Conn. Gen. Stat. § 36a-701b. 13 85. Pursuant to Conn. Gen. Stat. § 36a-701b(g), a violation of Conn. Gen. Stat. § 36a- 14

15 701b constitutes an unfair or deceptive trade practice under Conn. Gen. Stat. § 42-110b.

16 86. MIE knew or should have known that its acts and practices alleged herein were

17 unfair and deceptive, and were thus willful violations of Conn. Gen. Stat. §42-110b. MIE is 18 therefore liable for civil penalties of up to $5,000 per willful violation pursuant to General 19 Statutes §42-110o(b). 20

21 87. Plaintiff, Connecticut, is entitled to attorney fees and costs, and injunctive relief

22 pursuant to Conn. Gen. Stat. §§ 36a-701b(g), 42-110m, and injunctive relief pursuant to Conn.

23 Gen. Stat. §§ 36a-701b(g) and 42-110m. 24 Count X 25 Connecticut: Failure to Implement Reasonable Procedures to Protect Personal Information in Violation of Conn. Gen. Stat. § 42-471 26

27 88. Plaintiff, Connecticut, incorporates the factual allegations in paragraphs 1 through

28 44 of this Complaint.

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 26 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 27 of 83

1 89. Defendants failed to implement and maintain reasonable procedures to protect and

2 safeguard the unlawful disclosure of personal information in violation of Conn. Gen. Stat. § 42- 3 471. 4 90. MIE was in possession of Connecticut consumers’ “personal information” as that 5

6 term is defined in Conn. Gen. Stat. § 42-471(c).

7 91. Defendants failed to implement and maintain reasonable procedures to protect and

8 safeguard personal information in violation of Conn. Gen. Stat. § 42-471. 9 92. Plaintiff, Connecticut, is entitled to civil penalties pursuant to Conn. Gen. Stat. §§ 10 42-471(e). 11

12 Count XI Florida: Violation of HIPAA Safeguards 13 93. Plaintiff, Florida, incorporates the factual allegations in paragraphs 1 through 44 14

15 of this Complaint.

16 94. Defendants’ conduct constitutes violations of Administrative Safeguards,

17 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically: 18 a. MIE failed to review and modify security measures needed to continue the 19 provision of reasonable and appropriate protection of ePHI in accordance with the 20

21 implementation specifications of the Security Rule, in violation of 45 C.F.R. §

22 164.306(e).

23 b. MIE failed to conduct an accurate and thorough assessment of the 24 potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 25 that it maintained in accordance with the implementation specifications of the Security 26

27 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 27 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 28 of 83

1 c. MIE failed to implement security measures sufficient to reduce risks and

2 vulnerabilities to a reasonable and appropriate level in accordance with the 3 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 4 164.308(a)(1)(ii)(B). 5

6 d. MIE failed to implement procedures to regularly review records of

7 information system activity, such as audit logs, access reports, and Security Incident

8 tracking reports in accordance with the implementation specifications of the Security 9 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D). 10 e. MIE failed to implement policies and procedures that, based upon its 11

12 access authorization policies, establish, document, review, and modify a user’s right of

13 access to a workstation, transaction, program, or process that includes ePHI in

14 accordance with 45 C.F.R. § 164.308(a)(4)(ii)(C). 15 f. MIE failed to implement policies and procedures to address Security 16 Incidents, including suspected Security Incidents, to mitigate, to the extent practicable, 17

18 harmful effects of security incidents known to MIE, or to document such Incidents and

19 their outcomes in accordance with the implementation specifications of the Security Rule,

20 45 C.F.R. § 164.308(a)(6)(ii). 21 g. MIE failed to assign a unique name and/or number for identifying and 22 tracking user identity in accordance with the implementation specifications of the 23

24 Security Rule. 45 C.F.R. § 164.312(a)(2)(i).

25 h. MIE failed to implement a mechanism to encrypt and decrypt ePHI, in

26 accordance with the implementation specifications of the Security Rule. 45 C.F.R. § 27 164.312(a)(2)(iv). 28

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 28 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 29 of 83

1 i. MIE failed to implement hardware, software, and/or procedural

6 seeking access to ePHI is the one claimed, in violation of 45 C.F.R. § 164.312(c)(2)(d).

7 k. MIE failed to adhere to the Minimum Necessary Standard when using or

8 disclosing ePHI, in violation of 45 C.F.R. § 164.502(b)(1). 9 95. Plaintiff, Florida, is entitled to certain statutory damages pursuant to 42 U.S.C. 10 1320d-5(d)(2). 11

12 Count XII Florida: Deceptive Acts in Violation of Section 501.204, Florida Statutes 13 96. Plaintiff, Florida, incorporates the factual allegations in paragraphs 1 through 44 14

15 of this Complaint.

16 97. The Defendants’ conduct constitutes a violation of Section 501.204, Florida

17 Statutes. 18 98. The information security failings outlined in paragraphs 34 through 44 constitute 19 unfair or deceptive acts in violation of Section 501.204, Florida Statutes. 20

21 99. MIE committed an unfair or deceptive act by representing that it maintained

22 appropriate Administrative and Technical Safeguards to protect patients’ ePHI, and other

23 appropriate measures to protect consumers’ sensitive information, when such was not the case, in 24 violation of Section 501.204, Florida Statutes. 25 100. Plaintiff, Florida, is entitled to civil penalties pursuant to Section 501.2075, 26

27 Florida Statutes, attorney fees and costs pursuant to Section 501.2105, Florida Statutes, and

28 injunctive relief pursuant to Section 501.207(b), Florida Statutes.

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 29 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 30 of 83

1 Count XIII Florida: Data Breach Violation of Section 501.171, Florida Statutes 2 3 101. Plaintiff, Florida, incorporates the factual allegations in paragraphs 1 through 44

4 of this Complaint.

5 102. MIE failed to notify affected individuals or others of the Data Breach as required 6 by Section 501.171(4), Florida Statutes. 7 103. As alleged in paragraphs 32 and 33, Defendants began notifying affected 8

9 individuals on July 17, 2015 and did not conclude until December 2015. The effective notice

10 date range after the breach was discovered was between 52 days and six months.

11 104. By waiting between 52 days and six months to notify affected individuals, 12 Defendants violated Section 501.171(4), Florida Statutes. 13 105. Plaintiff, Florida, is entitled to civil penalties pursuant to Section 501.171(9), 14

15 Florida Statutes, attorney fees and costs pursuant to Section 501.171(9), Florida Statutes and

16 injunctive relief pursuant to Section 501.171(9), Florida Statutes.

17 Count XIV 18 Florida: Failure to Implement Reasonable Procedures to Protect Personal Information in Violation of Section 501.171(2), Florida Statutes 19 106. Plaintiff, Florida, incorporates the factual allegations in paragraphs 1 through 44 20

21 of this Complaint.

22 107. Defendants failed to implement and maintain reasonable procedures to protect and

23 safeguard the unlawful disclosure of personal information in violation of Section 501.171(2), 24 Florida Statutes. 25 108. The information security failings outlined in paragraphs 34 through 44 constitute 26

27 unreasonable safeguard procedures in violation of Section 501.171(2), Florida Statutes.

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 30 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 31 of 83

1 109. Plaintiff, Florida, is entitled to attorney fees and costs pursuant to Section

2 501.171(9), Florida Statutes and injunctive relief pursuant to Section 501.171(9), Florida 3 Statutes. 4 Count XV 5 Indiana: Violation of HIPAA Safeguards 6 110. Plaintiff, Indiana, incorporates the factual allegations in paragraphs 1 through 44 7 of this Complaint. 8

9 111. Defendants’ conduct constitutes violations of Administrative Safeguards,

10 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically:

15 164.306(e).

16 b. MIE failed to conduct an accurate and thorough assessment of the

21 c. MIE failed to implement security measures sufficient to reduce risks and

22 vulnerabilities to a reasonable and appropriate level in accordance with the

23 implementation specifications of the Security Rule, in violation of 45 C.F.R. § 24 164.308(a)(1)(ii)(B). 25 d. MIE failed to implement procedures to regularly review records of 26

27 information system activity, such as audit logs, access reports, and Security Incident

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 31 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 32 of 83

1 tracking reports in accordance with the implementation specifications of the Security

6 access to a workstation, transaction, program, or process that includes ePHI in

7 accordance with 45 C.F.R. § 164.308(a)(4)(ii)(C).

12 their outcomes in accordance with the implementation specifications of the Security Rule,

13 45 C.F.R. § 164.308(a)(6)(ii).

18 h. MIE failed to implement a mechanism to encrypt and decrypt ePHI, in

19 accordance with the implementation specifications of the Security Rule. 45 C.F.R. §

20 164.312(a)(2)(iv). 21 i. MIE failed to implement hardware, software, and/or procedural 22 mechanisms that record and examine activity in information systems that contain or use 23

24 ePHI, in violation of 45 C.F.R. § 164.312(b).

25 j. MIE failed to implement procedures to verify that a person or entity

26 seeking access to ePHI is the one claimed, in violation of 45 C.F.R. § 164.312(c)(2)(d). 27

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 32 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 33 of 83

1 k. MIE failed to adhere to the Minimum Necessary Standard when using or

2 disclosing ePHI, in violation of 45 C.F.R. § 164.502(b)(1). 3 112. Plaintiff, Indiana, is entitled to certain statutory damages pursuant to 42 U.S.C. 4 1320d-5(d)(2). 5

6 Count XVI Indiana: Deceptive Acts in Violation of Ind. Code § 24-5-0.5-3 7 113. Plaintiff, Indiana, incorporates the factual allegations in paragraphs 1 through 44 8

9 of this Complaint.

10 114. The Defendants’ conduct constitutes a violation of Ind. Code § 24-5-0.5-3.

11 115. The information security failings outlined in paragraphs 30 through 40 constitute 12 unfair or deceptive acts in violation of Ind. Code § 24-5-0.5-3. 13 116. MIE committed an unfair or deceptive act by representing that it maintained 14

15 appropriate Administrative and Technical Safeguards to protect patients’ ePHI, and other

16 appropriate measures to protect consumers’ sensitive information, when such was not the case, in

17 violation of Ind. Code § 24-5-0.5-3. 18 117. Plaintiff, Indiana, is entitled to civil penalties pursuant to Ind. Code § 24-5-0.5- 19 4(g), attorney fees and costs pursuant to Ind. Code § 24-5-0.5-4(c), and injunctive relief pursuant 20

21 to Ind. Code § 24-5-0.5-4(c).

22 Count XVII Indiana: Failure to Implement Reasonable Procedures to Protect Personal Information in 23 Violation of Ind. Code § 24-4.9-3-3.5 24 118. Plaintiff, Indiana, incorporates the factual allegations in paragraphs 1 through 44 25 of this Complaint. 26

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 33 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 34 of 83

1 119. Defendants failed to implement and maintain reasonable procedures to protect and

2 safeguard the unlawful disclosure of personal information in violation of Ind. Code § 24-4.9-3- 3 3.5(c). 4 120. The information security failings outlined in paragraphs 30 through 444 constitute 5

6 unreasonable safeguard procedures in violation of Ind. Code § 24-5-0.5-3.5.

7 121. Defendants are not exempt from Ind. Code § 24-5-0.5-3.5, as the Defendants did

8 not comply with a HIPAA compliancy plan. Ind. Code § 24-5-0.5-3.5(a)(6). 9 122. Plaintiff, Indiana, is entitled to civil penalties pursuant to Ind. Code § 24-4.9-3- 10 3.5(f)(2), attorney fees and costs pursuant to Ind. Code § 24-4.9-3-3.5(f)(3), and injunctive relief 11

12 pursuant to Ind. Code § 24-4.9-3-3.5(f)(1).

13 Count XVIII Iowa: Violation of HIPAA Safeguards 14

15 123. Plaintiff, Iowa, incorporates the factual allegations in paragraphs 1 through 44 of

16 this Complaint.

17 124. Defendants’ conduct constitutes violations of Administrative Safeguards, 18 Technical Safeguards, and implementation specifications as required by HIPAA. Specifically: 19 a. MIE failed to review and modify security measures needed to continue the 20

21 provision of reasonable and appropriate protection of ePHI in accordance with the

22 implementation specifications of the Security Rule, in violation of 45 C.F.R. §

23 164.306(e). 24 b. MIE failed to conduct an accurate and thorough assessment of the 25 potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 26

27 that it maintained in accordance with the implementation specifications of the Security

28 Rule, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Indiana et. al. v. Medical Informatics Engineering, Inc. et al. Complaint page 34 of 83

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 57 filed 05/23/19 page 35 of 83