The electronic medical record software company Medical Informatics Engineering (MIE) has agreed to settle its HIPAA violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights for $100,000 and has agreed to pay $900,000 to resolve a multi-state action filed by state attorneys general over a 2015 data breach.
MIE experienced a data breach on May 7, 2015 when hackers gained access to a server used by its subsidiary, NoMoreClipboard. The NoMoreClipboard service allows patients to access and manage their health information through patient portals. The hackers were able to access patients’ protected health information that was stored on the server for 19 days until May 26, 2015. Access to the server was gained using compromised credentials.
MIE notified OCR about the breach on July 23, 2015 and an investigation was launched to determine whether the breach was the result of noncompliance with the HIPAA Privacy and Security Rules.
OCR investigators determined that MIE had failed to conduct a comprehensive, organization-wide risk analysis to identify all threats to the confidentiality, integrity, and availability of PHI, in violation of the HIPAA Security Rule. There was also an impermissible disclosure of approximately 3.5 million patients’ protected health information.
MIE agreed to the settlement to resolve the case with no admission of liability. In addition to the financial penalty, MIE has agreed to adopt a corrective action plan to correct HIPAA failures identified by OCR while investigating the breach. The corrective action plan requires MIE to conduct a comprehensive, organization-wide risk analysis and adopt a risk management plan to reduce any identified risks to a reasonable and acceptable level.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the OCR HIPAA case, a multi-state lawsuit was filed by 16 state attorneys general – Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin – in December 2018 after an investigation revealed MIE had violated several HIPAA provisions and state laws.
A consent judgement has been agreed by all parties which will see MIE pay a financial penalty of $900,000 to resolve the lawsuit. MIE has also agreed to implement a wide range of measures to improve security to prevent further breaches. Those measures include a security incident and event monitoring (SIEM) solution to detect and respond to further cyberattacks, the use of data loss prevention technologies, adoption of a strong password policy, use of multi-factor authentication, single sign-on, and improvements to controls concerning the creation of new accounts.
MIE has also agreed to retain a third-party consultant to conduct an organization-wide risk analysis and will conduct further risk analyses annually. The consent judgment now awaits court approval.