State, northwest Indiana medical company settle lawsuit over exposure of 45K Hoosiers’ data
The state has reached a settlement in its lawsuit against a northwest Indiana medical company over a ransomware event that put personal and protected health information at risk. The agreement includes no admission of guilt on the behalf of the provider.
CarePointe — an ear, nose, throat, sinus and hearing provider — will pay the state $125,000 and develop a written information security program to “protect consumers and ensure further compliance with the law.”
The lawsuit said CarePointe was aware of security risks before a ransomware event exposed the information of about 45,000 Indiana patients. It included two counts for violations of federal HIPAA law and two counts for violations of state data privacy and consumer protection laws.
READ MORE: Rokita under investigation again by Indiana attorney disciplinary commission
Join the conversation and sign up for the Indiana Two-Way. Text “Indiana” to 73224. Your comments and questions in response to our weekly text help us find the answers you need on statewide issues.
The settlement requires CarePointe to develop and maintain systems and plans to protect sensitive patient information. This includes designating an individual to be a “HIPAA security officer” who will be responsible for overseeing the security program.
CarePointe will also have to meet training requirements for all personnel with access to personal information and protected health information, including tabletop exercises to test its “preparedness to respond” to security risks.
Abigail is our health reporter. Contact them at [email protected].