Data Breach Leads to $1 Million in Settlements for IN Company

The U.S. Department of Health and Human Services (HHS) announced on May 23 that Medical Informatics Engineering, Incorporated (MIE), an Indiana-based online electronic health records company, had agreed to pay HHS’s Office for Civil Rights (OCR) $100,000 to settle HIPAA violations. MIE’s April 23 Resolution Agreement with HHS also provided for the company to enter into a two-year corrective action plan.

Also on May 23, MIE entered into a Consent Judgment with 16 states whose attorneys general had sued the company in federal court based on a 2015 data breach that allegedly compromised the data of almost four million people. MIE will pay a total of $900,000 to the states to settle the case, the first-ever multistate lawsuit based upon a HIPAA violation. MIE had also been charged with numerous violations of state personal information protection laws, breach notification laws, and deceptive trade practices laws in all 16 states.

In the breach, hackers exploited vulnerabilities in one of MIE’s servers and stole names, mailing addresses, user names, passwords and protected health information. The OCR’s investigation determined that MIE did not conduct a comprehensive enterprise-wide risk analysis, as required by HIPAA, prior to the breach.