EHR Provider to Pay $900,000 to Resolve Multi-State HIPAA Case

Just a few days after the HHS’ Office for Civil Rights announced a settlement had been reached with Medical Informatics Engineering to resolve alleged HIPAA violations related to its 2015 breach of 3.9 million records, an agreement has been announced that will resolve a multi-state HIPAA lawsuit.

In December 2018, 16-state attorneys general were named as plaintiffs in the lawsuit which alleged MIE had violated several provisions of HIPAA Rules and state laws.

An investigation into the breach revealed multiple security failures had left the company vulnerable to attack. Some of those vulnerabilities were exploited by hackers who succeeded in gaining access to a server housing the protected health information of individuals contained in its NoMoreClipboard solution. The hackers had access to the server for 19 days in May 2015 before the breach was detected and the server was secured.

The OCR case cited two HIPAA violations: A failure to conduct an organization-wide risk analysis prior to the breach and the resultant impermissible disclosure of patient information. The investigation which prompted the lawsuit identified several further violations of HIPAA Rules and state Information Protection and Deceptive and Unfair Trade Practices Acts.

A proposed consent judgement resolves all of the alleged violations and requires MIE to pay a financial penalty of $900,000. The financial penalty will be split between the 16 states that participated in the action – Arizona, Arkansas, Connecticut, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin.

MIE has also agreed to take several steps to improve security and ensure compliance with federal and state data privacy and security laws. MIE will implement and maintain an information security program, Security Incident and Event Monitoring (SIEM) solution, data loss prevention solution, complex password policies, multi-factor authentication on systems used to store or that permit access to ePHI, and implement further controls relating to the creation of accounts with access to ePHI.

MIE will also contract a third-party expert to conduct a comprehensive risk analysis in the next 180 days and further risk analyses every 12 months.

The consent judgment has been accepted by all parties and is pending court approval.