The AGs allege that thecompany, Medical Informatics Engineering Inc., failed to safeguard the data properly or disclosethe incident in a timely fashion, among other charges.(Photo: Shutterstock)

A dozen state attorneys general have united to bringthe first multistate lawsuit under federal health care privacy law, inconnection with a medical records company data breach that putmillions of patient records at risk.

The lawsuit is part of a growing trend of state enforcement ofconsumer and data privacy laws, and the first suchAG suit under HIPAA—the federal Health Insurance Portability andAccountability Act of 1996, which requires companies to protect theprivacy of patient information. The U.S. Department of Health andHuman Services usually enforces HIPAA and the Federal TradeCommission usually enforces consumer data breach violations.

Related: Google's foray into health records raises privacyconcerns

The civil suit was filed Tuesday in the U.S. DistrictCourt for the Northern District of Indiana against a Fort Waynecompany, Medical Informatics Engineering Inc., over a 2015 databreach during which hackers accessed the personalpatient information of more than 3.9 million individuals stored in an electronicmedical records database for dozens of institutions. MIEis a third-party provider that licenses a web-based electronichealth record program application known as WebChart to health careproviders.

The AGs allege that the company failed to safeguard thedata properly or disclose the incident in atimely fashion, among other charges. Several other civil suits overthe breach, including multidistrict litigation, also are pending inthat court. The company acknowledged the breach in security notices in 2015.

The information siphoned from the databaseincluded names, addresses, phone numbers, dates of birth,security questions and answers, email addresses, labresults, health insurance policy information, SocialSecurity numbers, doctor's names, diagnoses and other informationfor more than two weeks before being detected and reported to theFBI, according to the suit.

MIE responded Tuesday to a request for comment in an automatedmessage saying, “We will review your correspondence and theappropriate representative will be contacting you as soon aspossible.” The company had not responded further by 1 p.m.Wednesday.

Besides federal HIPAA violations, the AGs' suit allegesvarious violations of state laws, including data breachnotification and deceptive trade practices. The suit seeksinjunctive relief as well as an undetermined amount of money forrestitution and civil penalties.

Indiana Attorney General Curtis Hill filed the suit on behalf ofthe 12 states, which also include Arizona, Arkansas, Florida, Iowa,Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolinaand Wisconsin.

The AGs are both Republicans and Democrats who are part of atrend of attorneys general expanding their litigation andenforcement roles, especially in consumer protection, financialenforcement and health care cases, according to Daniel Suvor,counsel in the Los Angeles office of O'Melveny & Myers. A recent newsletter from the law firm explained.

Read more:

• Fitness tracker data poses legal, privacyconcerns
• Amazon's latest venture: Mining your health caredata
• Trade privacy for lower premiums? Youngergenerations say yes.