Stolen login used to access the health records of 3.5m patients
Medical Informatics Engineering (MIE), a US medical records services firm, has agreed to pay a $100,000 fine after admitting “potential violations” of privacy regulations.
Indiana-based MIE was sanctioned over possible breaches of the Health Insurance Portability and Accountability Act (HIPAA).
The case dates back more than three years to July 2015, when MIE discovered that cybercriminals had abused a compromised user ID and password to access the electronic health records of approximately 3.5 million people.
A subsequent investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.
Patients filed a class-action lawsuit against MIE that alleges the firm’s computer systems and data security practices were inadequate.
“Entities entrusted with medical records must be on guard against hackers,” said Roger Severino, director of the Office for Civil Rights at the US Department of Health and Human Services (HHS), in a statement.
“The failure to identify potential risks and vulnerabilities to ePHI (electronic protected health information) opens the door to breaches and violates HIPAA.”
In addition to agreeing the $100,000 settlement, MIE has promised to complete an enterprise-wide risk analysis in order to align its business practices so that it has a better chance of complying with HIPAA regulations.
MIE provides software and electronic medical record services to healthcare providers. Fines have historically been towards the lower end of financial penalties imposed by US regulators.
For example, earlier this month a Tennessee-based Diagnostic Medical Imaging Services firm agreed to pay $3 million to settle an enforcement action stemming from a breach that exposed more than 300,000 patients’ protected health information (PHI).
One of Touchstone’s FTP servers allowed uncontrolled access to its patients’ PHI.
This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the internet even after the server was taken offline.
The breach was discovered in May 2014. The exposed data included names, birth dates, social security numbers, and addresses.
Last October, US healthcare insurer Anthem agreed to pay $16 million in a record HIPAA settlement, following what regulators described as the “largest health data breach in history”.
Almost 79 million people were exposed by the breach – data included names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.