Medical Informatics Engineering, Inc., an Indiana-based company that provides software and electronic health record (EHR) services to healthcare providers, has paid $100,000 to the Office for Civil Rights (OCR) to settle a 2015 HIPAA breach.
On July 23, 2015, according to a press release from the Department of Health & Human Services (HHS), MIE filed a breach report with OCR after it discovered that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people.
An investigation by OCR revealed that MIE did not conduct a comprehensive risk analysis prior to the breach, according to federal officials. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” OCR Director Roger Severino said in a statement. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis, according to OCR.
The resolution agreement and corrective action plan in full can be read here.