Medical Informatics Engineering, a medical records service provider, agreed to pay the Office for Civil Rights at HHS $100,000 to settle a HIPAA breach.
In July 2015, the Fort Wayne, Ind.-based medical records provider reported a data breach to the OCR, stating that hackers accessed a compromised user identification and password to gain entry into the electronic protected health information of nearly 3.5 million patients.
Upon investigation, the OCR found MIE did not perform a proficient risk analysis prior to the data breach, a mandatory HIPAA rule.
“Entities entrusted with medical records must be on guard against hackers,” OCR Director Roger Severino said in a news release. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Along with paying the $100,000 settlement, MIE agreed to a corrective action plan, which includes completing an enterprise-wide risk analysis.
More articles on cybersecurity:
Oregon State Hospital alerts patients of phishing attack
Memorial Hermann employee 'improperly' used patients' credit card info
First cybercrime hotline unveiled in Rhode Island