A Fort Wayne firm has agreed to pay $100,000 to settle a HIPAA breach.
Medical Informatics Engineering Inc. paid the fine to the Office for Civil Rights at the U.S. Department of Health and Human Services, federal officials announced Thursday.
The web-based electronic health records company has also agreed to complete a company-wide risk analysis to comply with patient privacy rules outlined in the Health Insurance Portability and Accountability Act.
Medical Informatics Engineering on July 23, 2015, disclosed a breach in a filing with the Office for Civil Rights. The company had discovered that hackers accessed the electronic protected health information of about 3.5 million people who were patients of client health care providers.
Records accessed and stolen include patients' names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, health information and health insurance policy information.
Roger Severino, director of the Office for Civil Rights, said firms trusted with medical records must guard them from hackers.
"The failure to identify potential risks and vulnerabilities to (electronic protected health information) opens the door to breaches and violates HIPAA," he said in a statement.
Andrew Horner, the firm's chief information officer and contact listed in the settlement agreement, couldn't be reached Friday for comment.
In December, Indiana Attorney General Curtis Hill filed a 12-state lawsuit against Medical Informatics Engineering, accusing the firm of failing to secure its computer systems. That lawsuit is pending.