In the first settlement of its kind, a medical software provider has agreed to pay $900,000 to 16 state attorneys general for alleged violations of state and federal privacy laws. The settlement, stemming from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, demonstrates the resolution of the first-ever multistate data breach suit based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The settlement is a result of a 2015 data breach resulting in compromised user ID and password data of the electronic protected health information of approximately 3.5 million individuals. The settlement was finalized shortly after the medical software provider agreed to pay $100,000 to the Office of Civil Rights (OCR), the agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach.

To read more, please visit our Life Sciences Legal Update blog.