Indiana Attorney General Todd Rokita has taken legal action against CarePointe, a medical office in northwest Indiana, following a ransomware attack in 2021 that exposed the personal and protected health information of approximately 45,000 Indiana patients. The lawsuit alleges that CarePointe was aware of security concerns highlighted in a HIPAA risk assessment conducted by an IT vendor in January of that year.
Furthermore, while the vendor was hired in March to address these concerns, they remained unresolved when the data breach occurred in June, and both the state and patients were informed of the breach in August.
Notably, the lawsuit points out that CarePointe did not establish a business associate agreement with the IT vendor until April. This oversight allowed the vendor access to patient information before officially meeting the requirements set by the HIPAA security rule, which raises further concerns about data security practices. The legal action includes two counts related to violations of federal HIPAA law and two counts associated with violations of state data privacy and consumer protection laws.
The office of the attorney general is seeking remedies that include injunctive relief, damages, attorney fees, and costs, emphasizing the seriousness with which the state is taking these alleged violations of consumer protection and privacy laws.