Medical practice management software provider MedEvolve Inc. of Little Rock has agreed to pay $350,000 to settle allegations that it failed to properly protect patient data, the U.S. Department of Health and Human Services announced.
As part of the settlement, MedEvolve agreed to a two-year corrective action plan that includes monitoring by HHS' Office for Civil Rights.
In a statement Wednesday, MedEvolve said it has been fully cooperative with HHS' investigation and it "remains steadfast in prioritizing the corrective action plan." The company noted that no malicious use of the patient information has been detected.
HHS began investigating the company for possible violations of the Health Insurance Portability and Accountability Act, or HIPAA, in 2018 after learning that a MedEvolve server containing protected health information was openly accessible on the internet.
Protected information belonging to 230,572 patients was exposed on the server, according to HHS. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases, Social Security numbers.
HHS said its investigation focused on the "lack of an analysis" to determine risks and vulnerabilities to such information across the company, and the failure to enter into a business associate agreement with a subcontractor.
MedEvolve offers insights and automation designed to help medical practices improve their financial performance. The company said the data breach was the result of "singular human error" in which a file was inadvertently placed on a file transfer server that was separate from its client hosting environment.
Upon discovery of the error, the server was immediately secured. Since then, the company said, it has implemented additional security measures, such as utilizing a third-party to develop a remediation plan and investments in infrastructure.
“Data security is of utmost importance at MedEvolve, and we have made and continue to make significant investments since the 2018 incident to ensure our clients’ data is protected and prevent future threats," Matt Rolfes, president and CEO of MedEvolve, said in a statement. "We are steadfast in our commitment to exceeding healthcare regulatory requirements as we continue to grow our company, and after five years, we are glad to have concluded the settlement with HHS."
MedEvolve has agreed to take the following steps under the corrective action plan with HHS:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules
- Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information
- Report to HHS within 60 days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules