A Fort Wayne firm has agreed to pay $100,000 to settle a HIPAA breach.
Medical Informatics Engineering Inc. paid the fine to the Office for Civil Rights at the U.S. Department of Health and Human Services, federal officials announced Thursday.
The web-based electronic health records company has also agreed to complete a companywide risk analysis to comply with patient privacy rules outlined in the Health Insurance Portability and Accountability Act.
Medical Informatics Engineering on July 23, 2015, disclosed a breach in a filing with the Office for Civil Rights. The company had discovered that hackers accessed the electronic protected health information of about 3.5 million people who were patients of client health care providers.
Records accessed and stolen include patients' names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, health information and health insurance policy information.
Roger Severino, director of the Office for Civil Rights, said firms trusted with medical records must guard them from hackers.
“The failure to identify potential risks and vulnerabilities to (electronic protected health information) opens the door to breaches and violates HIPAA,” he said in a statement.
Andrew Horner, the firm's chief information officer and contact listed in the settlement agreement, couldn't be reached Friday for comment.
In December, Indiana Attorney General Curtis Hill filed a 12-state lawsuit against Medical Informatics Engineering, accusing the firm of failing to secure its computer systems. That lawsuit is pending.
“We will always act to protect Hoosier consumers in cases such as this one,” Hill said in a statement. “We make it our standard practices to pursue all penalties and remedies available under the law on behalf of our citizens, and we hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest ethics and utmost diligence.”
Other states involved in the litigation are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. Indiana's portion was filed in the U.S. District Court for the Northern District of Indiana.
“Defendants failed to implement basic industry-accepted data security measures to protect individuals' health information from unauthorized access,” the lawsuit states. “Defendants set up a generic 'tester' account called 'testing' with a shared password of 'testing.' In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access.”
The company did not put in place an active security system to alert employees to possible hacking attempts, the lawsuit contends. Additionally, it says that the company did not encrypt sensitive personal information within its own computer system, “a protection that, had it been employed, would have rendered the data unusable.”
This was not the first legal action filed against the company for the breach.
James Young, a patient whose medical information was compromised, filed suit in U.S. District Court in Fort Wayne. The Indianapolis man was seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit and potentially receive a cash award.
That lawsuit is also pending.
In November, Medical Informatics Engineering announced it had signed a letter of intent with Electric Works developer RTM Ventures to locate some of its future operations at the new development south of downtown Fort Wayne.