The Growing Trend of State Attorney General HIPAA Litigation
In 2021, 41 state Attorneys General sued the American Medical Collections Agency (AMCA) after AMCA announced it was the victim of a massive data breach. A multistate investigation revealed that widespread information security deficiencies contributed to the cause of the breach. The investigation also found that AMCA had received warnings from banks that processed AMCA payments about fraudulent use of payment cards. Nonetheless, even after being told this, AMCA failed to detect the intrusion. The lawsuit recently settled. This case is the latest in a series of cases brought by state Attorneys General enforcing compliance with HIPAA. State Attorney General HIPAA litigation is discussed below.
Attorney General HIPAA Litigation: When Can States Sue?
2009 was a watershed year for HIPAA. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed. This law significantly strengthened HIPAA by increasing the penalties for HIPAA violations – up to $1.5 million for a violation in certain circumstances. The HITECH Act also imposed a data security breach notification requirement, and required HHS to conduct Privacy and Security Rule audits.
The HITECH Act also authorized states’ Attorneys Generals to enforce HIPAA, by filing civil actions for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits state Attorneys General who file these actions to obtain damages on behalf of state residents, and to enjoin further violations of the HIPAA Privacy and Security Rules. A state, or a combination of states, may enforce HIPAA through its state attorney general.
State Attorney General HIPAA Litigation Stepped Up in 2017
Initially, states were reluctant to exercise their enforcement powers. Between 2010 and 2015, only eleven enforcement actions were brought. The first of these actions was brought in 2010 by the Attorney General of Connecticut. The action was brought against Health Net Inc., for the loss of an unencrypted hard drive containing the ePHI of 1.5 million individuals. That case settled for $250,000. In 2011, the Vermont and Indiana Attorneys General filed similar lawsuits that resulted in $55,000 and $100,000 settlements, respectively.
In 2017, state attorney general HIPAA litigation ramped up. In that year, the Attorneys General of California, Massachusetts, New Jersey, Vermont, and New York, each filed suit against entities that had violated HIPAA. The violations included failure to safeguard protected health information; failure to secure ePHI; and failure to comply with the breach notification rule. The smallest enforcement amount was $130,000. Two of the enforcement settlements were in an amount of over $1 million dollars.
In 2018, there were nine state attorney general enforcement actions. One of these was the first ever multistate enforcement action. In this action, the Attorneys General of Connecticut, New Jersey, and the District of Columbia, sued Aetna for multiple data breaches caused by the failure to secure ePHI. This failure resulted in the exposure of over 15,000 individuals’ PHI. The PHI that was impermissibly disclosed included Afib and HIV status. In 2018, New York filed its own suit against Aetna, obtaining a $1,150,000 settlement.
In 2019, 30 state Attorneys General combined to sue Premera Blue Cross for multiple violations of HIPAA and related state data privacy and security laws. The state attorney general multistate litigation resulted in a $10 million settlement. That same year, 16 states combined to sue Medical Informatics Engineering for multiple violations of HIPAA and related state data privacy and security laws, obtaining a $900,000 settlement. In 2019, California took its turn at suing Aetna for the impermissible Afib and HIV status disclosures, obtaining a $935,000 settlement.
Two multistate lawsuits were settled in 2020. One was against Community Health Systems, for failure to implement and maintain reasonable security practices. Another, in which 43 states joined, was against Anthem, Inc., for multiple violations of HIPAA that led to a phishing attack and a major data breach. California separately sued Anthem for this breach. The settlement amounts in the three cases were $5 million, $39.5 million, and $8.7 million, respectively.
These cases drive home several important points: states can and will use their enforcement powers to hold HIPAA covered entities and business associates accountable for harm suffered by the states’ residences. States can and will join together to file such suits. Finally, the filing of a state lawsuit does not preclude OCR from fining an entity. The purposes of an OCR fine and a state attorney general enforcement action are not precisely the same. OCR fines serve to penalize violators, in the hope of deterring future conduct. State attorney general lawsuits seek recovery of monetary damages, which states award to residents who have been damaged as a result of a HIPAA or equivalent state law violation.