MedEvolve Fined $350,000 for Storing PHI on an Unsecured Server

HHS 2020 Proposed HIPAA Privacy Rule Updates

The Department of Health and Human Services’ Office for Civil Rights has announced a settlement has been agreed with MedEvolve to resolve potential violations of the HIPAA Rules. MedEvolve provides technology and services to healthcare organizations that helps them improve their profit margins and is classed as a business associate under HIPAA. In May 2018, MedEvolve discovered an FTP server had not been properly secured and was accessible over the Internet, which exposed the protected health information of more than 230,000 individuals between January 2018 and May 2018. The PHI came from two of its covered entity clients and during that period of exposure, at least one unauthorized individual accessed the FTP server and viewed the PHI.

OCR’s investigators determined there had been an impermissible disclosure of the PHI of 230,572 individuals, MedEvolve had failed to enter into a business associate agreement with one of its subcontractors, and there was a failure to conduct a comprehensive, organization-wide risk assessment to identify potential risks and vulnerabilities to PHI.

MedEvolve chose to settle with OCR with no admission of wrongdoing. In addition to the financial penalty, MedEvolve has agreed to adopt a corrective action plan to address the issues identified by OCR. The corrective action plan includes the requirement to conduct a comprehensive risk analysis, develop and implement a risk management plan, develop and maintain policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules, and make enhancements to its HIPAA and security training program for its workforce. MedEvolve will also be monitored closely by OCR for two years to ensure compliance with the HIPAA Security Rule.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/