Nebraska joined 15 other states in announcing last Thursday that a consent judgment has been filed in the first multistate HIPAA-related data breach lawsuit.

The case involved Indiana-based Medical Informatics Engineering Inc., which disclosed a hack in 2015 that exposed the electronic health in­formation of more than 3.9 million people.

The lawsuit, led by Indiana, was first filed in December 2018 against the web-based electronics health company, according to a news re­lease by Nebraska Attorney General Doug Peterson.

Following a judge’s approval, the states will receive payment of $900,000. The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services separately announced a $100,000 payment by Medical Informatics Engineering to settle potential viola­tions of the federal Health Insurance Portability and Accountability Act of 1996.

Medical Information Engine-ering’s WebChart application was hacked in May 2015. Among the information compromised were names, contact information, family details, medical conditions, disabil­ity codes, Social Security numbers, lab results and health insurance pol­icy information.

An investigation by OCR found the company did not conduct a com­prehensive risk analysis prior to the breach. HIPAA requires assessing risks and vulnerabilities with respect to electronic protected health infor­mation.

“Entities entrusted with medical records must be on guard against hackers,” OCR Director Roger Severino said in a news release. “The failure to identify potential risks and vulnerabilities to ePHI (electronic Protected Health Information) opens the door to breaches and vio­lates HIPAA.”

Medical Informatics Engineering agreed to take corrective action to comply with HIPAA in both the OCR settlement and the pending consent judgment.

“Federal and state privacy laws provide a standard that companies must meet when they store or main­tain the personal information of con­sumers,” Peterson said in a release. “Failure to do so will result in out­comes similar to those in this case. I encourage entities to take proactive steps to protect the sensitive person­al information of consumers.”