Indiana attorney general sues provider over violation of consumer protection, privacy laws

Indiana Attorney General Todd Rokita is suing a northwest Indiana medical office over a ransomware event that put personal and protected health information at risk. The lawsuit alleges the provider was aware of security concerns before the data breach.

The lawsuit filed last week against CarePointe — an ear, nose, throat, sinus and hearing provider — claims it was aware of security risks prior to a ransomware event in 2021 that exposed the information of about 45,000 Indiana patients.

The lawsuit said an IT vendor identified security concerns in a written HIPAA risk assessment in January that year. That vendor was hired in March to address the issues, but they weren’t fixed before the data breach in June. The state and patients were notified of the data breach in August.

Additionally, CarePointe did not execute a business associate agreement with the vendor until April, meaning the IT vendor had access to patient information before they were considered a “covered entity” according to the HIPAA security rule.

The suit includes two counts for violations of federal HIPAA law, and two counts for violations of state data privacy and consumer protection laws.

The office of the attorney general is suing for injunctive relief, damages and attorney fees and costs.

Abigail is our health reporter. Contact them at [email protected].