05/23/2019 | Press release | Archived content
Florida Attorney General Announces First-Ever Multistate HIPAA-Related Data Breach Lawsuit and Recovery
Attorney General Ashley Moody said, 'Consumers have the right to have their most private health details protected. Companies that are entrusted with individual's medical records and other private information must take serious precautions to keep information secure from hackers.'
In May 2015, the hackers allegedly infiltrated one of MIE's servers containing names, mailing addresses, usernames, passwords and sensitive health information. The hackers allegedly stole the electronic Protected Health Information of more than 3.9 million people, including more than 112,000 records belonging to Floridians. According to the investigation, the hackers exploited several vulnerabilities at MIE at the time of the data breach, including poor password and security management protocols.
Under the terms of the consent judgment, MIE agreed to implement and maintain:
· An information security program and a Security Incident and Event Monitoring solution to detect and respond to malicious attacks;· Data loss prevention technology to detect and prevent unauthorized data exfiltration;· Password policies and procedures requiring the use of strong, complex passwords;· Multi-factor authentication procedures when remotely accessing its systems that store or permit access to ePHI; and· Controls on the creation of accounts with access to ePHI.
As part of the agreement, MIE will also pay nearly one million dollars to the states that filed the federal lawsuit. The other states participating in the agreement are Arizona, Arkansas, Connecticut, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin.