RCM Provider to Pay $350k to Settle HIPAA Investigation After Data Breach

The Department of Health and Human Services’s Office for Civil Rights yesterday announced a $350,000 settlement with a revenue cycle management company that suffered a data breach back in 2018 and was accused of potentially violating the Health Insurance Portability and Accountability Act (HIPAA).

A copy of the agreement and corrective action plan with MedEvolve can be accessed by clicking here.

The Office for Civil Rights launched an investigation in 2018 after receiving a breach notification report that a server containing electronic protected health information was openly accessible to the Internet. The information that was available included patients’ names, addresses, telephone numbers, health insurance and doctor’s office account numbers, and Social Security numbers in some cases. The server had been unsecure and accessible for more than four months when it was uncovered. The breach involved more than 230,000 individuals at two covered entities and there is evidence to suggest that PHI for both covered entities was viewed by at least unauthorized individual during the time the server was open to the public.

Under the terms of the agreement, MedEvolve is not admitting any liability.

MedEvolve will pay $350,000 and participate in a corrective action plan to try and eliminate the chance that such a breach will happen again. This requires MedEvolve to take the following steps:

• Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
• Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
• Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
• Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
• Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer, in a statement. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”