MedEvolve settles HIPAA investigation with HHS Office for Civil Rights

In a significant development highlighting the importance of data security in the healthcare sector, MedEvolve, an Arkansas-based software services provider, has settled a potential HIPAA violation with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR). The violation, involving the exposure of protected health information on an unsecured server, underscores the critical need for stringent data protection measures in the healthcare industry.

Why it matters 

The Office for Civil Rights has settled a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) with MedEvolve, Inc. The Arkansas-based company, which provides software services to healthcare entities, was investigated following a data breach where a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet.

The big picture

HIPAA is a federal law that sets national standards to protect the privacy and security of health information. The potential HIPAA violations, in this case, include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization and the failure to enter into a business associate agreement with a subcontractor. MedEvolve has paid OCR a $350,000 monetary settlement and agreed to implement a corrective action plan.

What they're saying

"Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy," said OCR Director Melanie Fontes Rainer. "HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet."

Between the lines

The investigation was initiated in July 2018 following a breach notification report stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer, and doctor's office account numbers, and in some cases, Social Security numbers.

The bottom line

As part of the settlement agreement, MedEvolve will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. The company has agreed to conduct a risk analysis, develop a risk management plan, revise its written policies and procedures, augment its HIPAA and Security Training Program, and report to HHS when workforce members fail to comply with MedEvolve's written policies and procedures.

What's next

As part of the settlement, MedEvolve has entered into a Corrective Action Plan (CAP) with the HHS. The CAP outlines several steps MedEvolve must take to ensure compliance with HIPAA regulations moving forward. These include:

1. Conducting a Risk Analysis: MedEvolve is required to conduct a thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications that contain, store, transmit, or receive MedEvolve ePHI.
2. Developing and Implementing a Risk Management Plan: MedEvolve must develop a plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
3. Establishing Policies and Procedures: MedEvolve must develop, maintain, and revise its written policies and procedures to comply with the federal standards governing the privacy and security of individually identifiable health information.
4. Training: MedEvolve is required to augment its existing HIPAA and Security Training Program for all workforce members with PHI access.
5. Reporting: MedEvolve is required to submit an Implementation Report and Annual Reports to HHS regarding its compliance with the CAP.

Related: HIPAA Compliant Email: The Definitive Guide

One level deeper 

According to Paubox's April 2023 breach report, Network server breaches affected the most people in March 2023. Cerebral, Inc. had the most significant breach that affected 3,179,835 people. ZOLL Services LLC had the second-largest breach, which affected 997,097 people.

Network server breaches were the most popular attack vectors for bad actors over the last five March months. Over 10 million individuals had their data accessed via 114 network server breaches during this time.