Medical Informatics Engineering, Inc (MIE) settled with the HHS’ Office for Civil Rights its HIPAA violation case by paying $100,000. MIE provides electronic medical record software and services in Indiana. Its case of serious data breach in 2015 involved its NoMoreClipboard subsidiary.
The attackers hacked the username and password to access a server that store the protected health information (PHI) of 3.5 million people. From May 7 to May 26, 2015, the attackers had server access for 19 days. The breach affected 239 MIE healthcare clients.
When OCR got the breach report from MIE on July 23, 2015, the breach was investigated to know if MIE did not comply with the HIPAA Rules. The investigation results of OCR showed that prior to the occurrence of the breach, MIE was not able to do the required comprehensive risk analysis to know all risks to PHI confidentiality, integrity availability.
Failing to do the risk analysis violated HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). For that reason, MIE also violated 45 C.F.R. § 164.502(a) for impermissibly disclosing the PHI of 3.5 million people.
MIE decided to go with a case settlement with OCR without admitting liability. Apart from paying the penalty, MIE needs to carry out a corrective action plan which consists of a complete, organization-wide risk analysis and a risk management strategy that deals with all determined risks and reduce them to an acceptable level.
HIPAA-covered entities which retain medical records ought to take precaution against hackers. Not identifying potential risks to ePHI can cause breaches and HIPAA violations.
While the settlement excuses MIE from other OCR actions with regards to the HIPAA Rules violations, MIE still has to deal with the multi-state lawsuit that 12 attorneys general filed against it in December 2018 because of the data breach.
In the lawsuit, it is alleged that MIE failed to apply adequate security controls, resolve known vulnerabilities, utiliize encryption, give employees security awareness training and to prevent post-breach problems. This lawsuit might still give MIE the headache of more financial penalty.
This is OCR’s second financial penalty issued in 2019. The first was issued earlier this May, which involved Touchstone Medical Imaging in a $3,000,000 multiple HIPAA violations case.