HIPAA Breach Settles for $1M in First Settlement Involving State Attorneys General

Michael Slipsky
Poyner Spruill LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Poyner Spruill LLP

Last week, Indiana based Medical Informatics Engineering, Inc. (MIE) agreed to pay $100,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). MIE provides electronic health record and related services to healthcare entities. MIE also committed to a two-year corrective action plan to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Separately, MIE agreed to pay $900,000 to 16 states whose attorneys general had sued the company over a related data breach. The suit was the first of its kind premised on a HIPAA violation. The attorneys general accused MIE violating state personal information protection laws, breach notification laws, and deceptive trade practices laws.

The state settlement required MIE to implement and maintain an information security program sufficiently robust to check cyberattacks. The company also agreed to install technology to prevent data exfiltration.

MIE had earlier informed OCR that hackers had accessed the electronic protected health information (ePHI) of about 3.5 million people. See 45 C.F.R. § 164.502(a). An OCR investigation determined that MIE had not conducted a mandatory comprehensive risk analysis before the incident. HIPAA Rules require entities to assess the potential threats to the integrity of an entity’s ePHI. See 45 C.F.R. § 164.308(a)(l)(ii)(A).

OCR Director Roger Severino noted that the “failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.” North Carolina Attorney General Josh Stein stated that the breach had put sensitive health data at risk.

MIE denies all wrong doing and neither resolution required an admission of fault. However, the states’ complaint stated that MIE (1) failed to implement adequate security controls, (2) did not address known vulnerabilities, (3) failed to use encryption, (4) did not adequately train staff in security issues and (5) failed to address the breach in an appropriate manner. These measures provide a useful checklist for any healthcare counsel, CIO, or CISO looking to avert the next OCR fine or multi-state lawsuit.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide