In May 2015, Medical Informatics Engineering, a vendor operating a health information exchange, discovered suspicious activity involving one of its servers.
The cyber attack was a data breach that potentially compromised the health information of approximately 3.5 million individuals. Four years later, the company has paid a $ 100,000 fine to the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, and will enter into a corrective action plan that will require it to complete a complete enterprisewide risk analysis.
During an investigation, OCR found that the company did not conduct an analysis prior to the breach, which meant that Medical Informatics Engineering had not performed a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of an organization’s protected health information.
OCR has recently been using enforcement actions to underscore the need for risk assessments.
“Entities entrusted with medical records must be on guard against hackers,” says OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to electronic protected health information opens the door to breaches and violates HIPAA.”
The corrective action plan for Medical Informatics Engineering is available here.
For reprint and licensing requests for this article, click here.