Electronic Medical Records Company Settles with OCR for HIPAA Violation

An electronic medical records company recently settled with the Office of the Civil Rights (“OCR”) for violating the Health Insurance Portability and Accountability Act (“HIPAA”) following a discovery of a cyberattack on its servers which contained the protected health information (PHI) of approximately 3.5 million individuals.

According to a recent settlement agreement, an Indiana company that provides electronic medical records services as a HIPAA business associate discovered in 2015 suspicious activity on one of its servers. Following an investigation the company became aware of unauthorized access to its network which contained the company’s client information. Specifically, the servers subject to the cyberattack contained the PHI of approximately 3.5 million individuals. The PHI exposed included names, addresses, dates of birth, Social Security numbers, email addresses, clinical information and health insurance information.

OCR’s investigation indicated that: (1) the company impermissibly disclosed the electronic PHI of 3.5 million individuals; and (2) the company failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI.

Although the resolution with OCR is not an admission of liability by the company of any wrong doing, it settled with the agency for $100,000 and agreed to enter into a corrective action plan with the government.

The company was also subject to a lawsuit by 12 attorney generals filed in late 2018.

If you have questions regarding HIPAA’s Privacy and Security Rule, OCR, or have questions regarding Medicare or Medicaid enrollment, exclusion, revocation, audits, investigations or have other health law related questions, please contact our office.