Indiana Attorney General Sues CarePointe Over 2021 Ransomware Attack
The Indiana Attorney General, Todd Rokita, has filed a lawsuit against CarePointe over its June 2021 ransomware attack and the theft of files containing the protected health information (PHI) of 48,742 individuals, including 45,002 Indiana residents.
CarePointe’s investigation confirmed that an unauthorized third party gained access to its network, exfiltrated files containing sensitive data on or around June 25, 2021, and then used ransomware to encrypt files. The data stolen in the attack included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information.
CarePointe explained in its Notice of Privacy Practices that it is committed to safeguarding patient information and is required by the HIPAA Privacy Rule to safeguard patient data. Patients were required to acknowledge that they had read and understood its Notice of Privacy Practices, despite its claims, CarePointe is alleged to have failed to implement appropriate security policies, conduct appropriate risk analyses, and did not promptly address known security risks in a reasonable amount of time.
AG Rokita’s investigation revealed CarePointe had meetings with an IT vendor in late 2020 who flagged its remote access policies as a security issue that needed to be addressed. The IT vendor was engaged to conduct a security risk analysis, and in January 2021 identified several other IT security issues. The security issues identified by the IT vendor included weak password policies (no password expiration, passwords of 8 or fewer characters were permitted, and there were no complexity requirements); no account lockouts after a set number of failed login attempts; inactive/decommissioned computers were not removed from Active Directory; a lack of procedures for terminating access when accounts were no longer used; outdated antivirus software; unrestricted access to network shares containing PHI; the use of generic logins for systems containing PHI; and the use of public domain email accounts for conducting CarePointe business. The IT vendor was hired in March 2021 to address the security issues, but they had not been addressed by the time the data breach occurred. While CarePointe engaged the vendor to conduct a risk assessment in January 2021 and provided access to systems containing PHI, a business associate agreement was not entered into with the vendor until April 29, 2021.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges multiple violations of the HIPAA Privacy Rule and HIPAA Security Rule, a failure to implement and maintain reasonable procedures as required by the Indiana Disclosure of Security Breach Act (DSBA), and CarePointe knowingly committed unfair, abusive, and/or deceptive acts, in violation of the Indiana Deceptive Consumer Sales Act (DCSA).
As mandated by HIPAA, the Indiana Attorney General seeks statutory damages of $100 per HIPAA violation, per day, up to a maximum of $25,000 per year for each violation of an identical requirement or provision, a civil monetary penalty of $5,000 for the violation of the DSBA, and a civil monetary penalty of $5,000 for each knowing violation of the DCSA, along with all costs and fees from the investigation and legal action.
