A dozen state attorneys general have united to bring the first multistate lawsuit under  federal health care privacy law, in connection with a medical records company data breach that put millions of patient records at risk.

The lawsuit is part of a growing trend of state enforcement of consumer and data privacy laws, and the first such AG suit under HIPAA—the federal Health Insurance Portability and Accountability Act of 1996, which requires companies to protect the privacy of patient information. The U.S. Department of Health and Human Services usually enforces HIPAA and the Federal Trade Commission usually enforces consumer data breach violations.