Attorney General Keith Ellison announced Thursday, May 30, that Medical Informatics Engineering Inc. settled a lawsuit brought by Minnesota and 15 other states for failing to protect patients’ private data.

It was the first multiple-state lawsuit under the federal Health Insurance Portability and Accountability Act of 1996, according to Ellison.

“Minnesotans should be able to trust that their most sensitive personal information is safe from exploitation and their personal dignity is protected,” Ellison said in a statement.

The data breach dates to between May 7 and May 26 of 2015, Ellison said. Information including names, telephone numbers, addresses, birth dates, Social Security numbers, lab results, insurance information, medical conditions and other data were stolen during the breach.

Hackers used the company’s test account with a shared password “tester” to breach the database, according to the lawsuit. The information was not encrypted, which would have made it useless to hackers.

Sixteen states filed a lawsuit against MIE in December 2018. In addition to negligence, the case alleged the company waited two months to alert patients that their data was taken.

The settlement requires MIE to improve data security and be audited by an independent firm for five years. A separate, class-action lawsuit seeking damages for patients continues to work its way through the courts.