Compliance Management, Breach

MedEvolve pays OCR $350K penalty over ‘insufficient’ HIPAA risk analysis

U.S. Department of Health and Human Services building

MedEvolve agreed to pay a $350,000 civil monetary penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve possible violations of the Health Insurance Portability and Accountability Act, including failure to perform a risk analysis.

The vendor provides practice management, revenue cycle management and practice analytics software services to the healthcare sector. In 2018, MedEvolve reported a misconfigured FTP server  exposed the data of 230,572 patients tied to two of its provider clients: Premier Urgent Care in Pennsylvania and dermatologist Dr. Beverly Held in Texas.

The misconfiguration allowed anyone to login anonymously without login credentials and no password protection. The exposed data included patient names, contact information, health insurer details, and provider account numbers, and for some patients, Social Security numbers.

The breach report to OCR prompted an investigation, which found “evidence that the protected health information for both covered entities was viewed by at least one unauthorized individual during the time the FTP server was open to the public.”

The audit also found MedEvolve did not perform an analysis to determine risks and vulnerabilities to its protected health information and failed to enter into a business associate agreement (BAA) with a subcontractor.

Required by HIPAA, a BAA documents permissible uses and disclosures of patient data and ensures appropriate data protections will be used, in addition to notifying the covered entity will be notified in the event of a breach.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” OCR Director Melanie Fontes Rainer, said in a statement.

“HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet,” she added.

In addition to the civil monetary penalty, MedEvolve has entered into a corrective action plan and will be monitored by OCR for two years to ensure compliance with HIPAA. Under the plan, MedEvolve must conduct a risk analysis to determine possible vulnerabilities to its electronic patient and system data.

The company is also required to develop and implement a risk management plan that will address the identified risks, in addition to developing and maintaining its written HIPAA Privacy and Security Rule policies and procedures and bolstering its existing HIPAA and security workforce training program.

This is the second breach-related OCR settlement announced this year. Banner Health paid a $1.25 million civil monetary penalty in February, after OCR found potential HIPAA violations during an audit launched after its massive 2016 data breach. Late last week, the agency announced yet another settlement tied to a HIPAA Right of Access violation for $15,000 with David Mente, a licensed psychotherapy services provider.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.