Indiana AG sues CarePointe over ransomware attack

The State of Indiana has filed a lawsuit against CarePointe, P.C., alleging violations of data protection and consumer laws due to inadequate security practices leading to a data breach.

Key Takeaways

• CarePointe is accused of violating federal and state laws related to data privacy and consumer protection.
• The provider allegedly failed to address known security issues, leading to a data breach affecting approximately 45,000 patients.
• The lawsuit seeks injunctive relief, statutory damages, attorney fees, and costs against CarePointe.

What's Happening

The Indiana Attorney General, Todd Rokita, has filed a lawsuit against CarePointe, P.C., a medical provider, alleging violations of HIPAA, the Indiana Disclosure of Security Breach Act (DSBA), and the Indiana Deceptive Consumer Sales Act (DCSA). The lawsuit claims that CarePointe's inadequate security practices led to a data breach affecting over 45,000 patients and involved misrepresentations regarding its security measures.

Related: Indiana Attorney General files lawsuit against IU Health and IU Healthcare Associates

Why it matters

This legal action is significant as it underscores the imperative for healthcare providers to act swiftly and decisively upon discovering security vulnerabilities. CarePointe allegedly was aware of significant security risks but did not act promptly or adequately to mitigate them. This delay in response is crucial, as it reportedly led to the exposure of sensitive patient information. The lawsuit demonstrates the importance of timely action in preventing data breaches to avoid liability.

What they're saying

According to the lawsuit, an IT vendor identified multiple security issues with CarePointe's systems in early 2021, including weak password policies, outdated anti-virus software, and unrestricted access rights to network shares containing protected health information (PHI). Despite being aware of these issues, CarePointe allegedly failed to implement necessary security measures before the data breach in June 2021.

What to watch

Observers should closely monitor how the court addresses CarePointe's alleged delay in responding to known security issues and its impact on the data breach. The lawsuit's outcome may set a precedent for the expected timeline and adequacy of responses to identified security risks by healthcare providers. 

Additionally, watch for potential changes in state and federal regulations regarding data security in healthcare, as this case may influence future legislative measures aimed at preventing similar incidents.

The bottom line

Healthcare providers must implement robust data security measures proactively and address identified vulnerabilities with urgency. Providers must prioritize securing sensitive information to prevent legal challenges, financial penalties, and reputational damage.

Legal and financial implications

Lax security practices jeopardize patient data and expose healthcare providers to legal actions, substantial fines, and penalties. In the case of CarePointe, the lawsuit seeks injunctive relief, statutory damages, attorney fees, and costs, which could result in a significant financial burden for the provider. This case exemplifies the long-term consequences of neglecting data security, emphasizing the need for compliance with data protection laws and regulations to avoid costly legal battles.

Specific HIPAA violations

The lawsuit alleges multiple specific violations of HIPAA by CarePointe, including:

• Failure to implement, review, and modify policies and procedures to prevent, detect, contain, and correct security violations.
• Neglecting to conduct regular reviews of information system activity records, such as audit logs, access reports, and security incident tracking reports.
• Lack of procedures for terminating access to PHI when employment or other arrangements end.
• Absence of measures to guard against, detect, and report malicious software.
• Failure to monitor log-ins and create, change, and safeguard passwords.
• Not assigning unique names and/or numbers for identifying and tracking user identity.
• Lack of encryption for PHI at rest and failure to verify the identity of individuals seeking access to PHI.

Related: HIPAA Compliant Email: The Definitive Guide