A multi-state lawsuit has been filed in an Indiana federal court against three affiliated medical data IT firms, alleging poor cybersecurity practices that led to breaches with 3.9 million compromised records.

The attorneys-general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin jointly launched the suit against defendants Medical Informatics Engineering, Inc. (operating as Enterprise Health, LLC), K&L Holdings, and NoMoreClipboard, LLC. The plaintiffs are seeking the ability to enforce state laws that would, in turn, allow them to seek injunctive relief, civil penalties, attorney’s fees, expenses, costs and such other relief.

No specific amount of financial compensation was discussed.

“Defendants’ actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal HIPAA statutes… Plaintiffs seek to enforce said laws by bringing this action,” the filing stated.

The plaintiffs say that between May 7, 2015 and May 26, 2015, a cyberattack on the electronic health record application WebChart resulted in the unauthorized access of medical records containing personal health information on various state residents — a breach of various HIPPA regulations. MIE licenses WebChart, NoMoreClipboard is its subsidiary and K&L Holdings is an affiliated company.