Medical Informatics Engineering, Inc (MIE) agreed to pay the HHS’ Office for Civil Rights $100,000 to settle its HIPAA violation case. MIE is an electronic medical record software and services provider based in Indiana that had a serious data breach at its NoMoreClipboard subsidiary in 2015.
Using a compromised username and password, hackers were able to access a server containing 3.5 million people’s protected health information (PHI). The attackers accessed the server for 19 days from May 7 to May 26, 2015. The breach impacted 239 of MIE’s healthcare clients.
OCR received the breach report on July 23, 2015 and started an investigation to find out if there was HIPAA Rules non-compliance by MIE. According to the investigation findings of OCR, MIE failed to perform an accurate and comprehensive risk analysis to determine all potential hazards to PHI confidentiality, availability and integrity before the breach occurred.
The abovementioned failure was deemed as a violation of HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). Consequently, MIE committed an impermissible disclosure of PHI of 3.5 million people, a violation of 45 C.F.R. § 164.502(a).
MIE opted to negotiate the case with OCR without admission of liability. Besides paying a penalty, MIE agreed to undertake a corrective action plan which includes a complete, organization-wide risk analysis and a risk management plan that addresses all determined risks and minimize them to a reasonable and appropriate level.
HIPAA-covered entities that maintain medical records should guard against hackers. Failing to pinpoint potential risks to ePHI could lead to breaches and HIPAA violations.
Although the settlement frees MIE from other actions by OCR relating to the HIPAA Rules violations, MIE is not safe yet. MIE still needs to face the multi-state lawsuit filed against it in December 2018 by 12 state attorneys general because of the breach.
According to the lawsuit, MIE failed to implement enough security controls, correct known vulnerabilities, use encryption, provide security awareness training to staff and to avoid post-breach failures. This unresolved lawsuit could still subject MIE to further financial penalty.
This is the second financial penalty issued by OCR in 2019. Earlier this May, OCR settled a multiple HIPAA violations case with Touchstone Medical Imaging for $3,000,000.