Medical Informatics Engineering, Inc. (MIE), a software and electronic medical records service provider has paid the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services $100,000 to settle a HIPAA breach from 2015.
The Indiana-based company reported the data breach to OCR on July 23, 2015, following the discovery that the electronic protected health information (ePHI) of roughly 3.5 million people had been inappropriately accessed. The unauthorized access occurred when hackers used a compromised user ID and password to gain entry into the records.
A subsequent investigation was launched by OCR and revealed that MIE did not conduct a thorough risk analysis before the breach occurred, which is a requirement under the HIPAA rule.
“Entities entrusted with medical records must be on guard against hackers,” said Roger Severino, director of the Office for Civil Rights at the US Department of Health and Human Services (HHS), in a statement.
“The failure to identify potential risks and vulnerabilities to ePHI (electronic protected health information) opens the door to breaches and violates HIPAA.”
MIE has agreed to a corrective action plan in addition to the $100,000 settlement. The corrective action plan will include the completion of an enterprise-wide risk analysis.
Things to Note
- Although this breach exposed the ePHI of roughly 3.5 million people, the fine imposed by OCR was at the lower end of fines that could have been expected as a result of this incident.
- This settlement came more than three years after the incident.
- We are again reminded that a risk analysis is not optional but required under the HIPAA Rules.