HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach Sparks Medical Informatics Engineering Lawsuit

A Medical Informatics Engineering lawsuit has been filed in Fort Wayne for the security breach that exposed the data of 3.9 million Americans.

These days, data breach victims are signed up by lawyers within hours of breach notices being posted. The latest lawsuit is no exception, with the mailing of the breach notification letters only completed on July 25, 2015.

The Medical Informatics Engineering lawsuit was filed by Irwin B. Levin, managing partner of Indianapolis law firm Cohen & Malad LLP, on behalf of James Young, who had his health data and Social Security number exposed in the May 26, 2015 cyberattack.

The lawsuit has been filed in the U.S. District Court in Fort Wayne. A spokesman for Medical Informatics Engineering, Jeff Donnell, told the Fort Wayne Journal Gazette, “We are aware of the suit, and we are currently reviewing it. Our primary focus at this time is on our response to those affected by this cyberattack.”

Please see the HIPAA Journal Privacy Policy

Young does not appear to have suffered identity theft of fraud as a result of the exposure of his data; instead the suit has been filed against MIE for “the stress, nuisance, and annoyance of dealing with all issues resulting from the MIE data breach.” The suit claims the defendant “failed to take adequate and reasonable measures to ensure its data systems were protected.”

If the class-action lawsuit is certified, other breach victims could be signed up and damages will be claimed. The damages claimed by Young have not been specified, although if successful, the lawsuit is likely to result in a total award of damages in excess of $5 million before interest and legal costs.

However, there are no guarantees of success. Even if the Medical Informatics Engineering lawsuit is certified – a jury trial has been requested – the courts typically require evidence of actual harm to be produced. Without any actual harm, loss, or damage suffered by the plaintiffs, the courts are unlikely to issue an award for damages. It is understandable that some patients feel aggrieved, but it would be most irregular for damages to be awarded on this basis alone.

The MIE Cybersecurity Attack


According to information released by MIE, the attack triggered the company’s network monitoring alarms at 5am on May 26, when an unusually high load was identified on one of the company’s servers. The subsequent investigation established that access was gained to the company’s server on May 7, 2015, 19 days before the network alarms were triggered.

MIE initiated its breach response plan promptly, shut down the affected server, and hired a forensics firm to determine the extent of the breach. On July 2, MIE started notifying the healthcare organizations that used its NoMoreClipboard service, with the formal breach notice being released to the media on June 10. Breach notification letters to patients were delayed until July 17. Since hundreds of healthcare providers and physicians use the NoMoreClipboard service, it was conceivable that some patients would end up receiving multiple breach notice letters, and MIE wanted to avoid causing any confusion, hence the mailing delay. It also took some time to print and mail out 3.1 million notification letters to patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.