No Items in Cart 
Medical Informatics Engineering Inc. (MIE) has agreed to pay $900,000 to 16 states whose attorneys general had sued the company over a data breach in violation of the Health Insurance Portability and Accountability Act (HIPAA).
OCR Director Roger Severino
Simultaneously, MIE settled with the Department of Health and Human Services (HHS) for $100,000 and committed to a two-year corrective action plan in a related breach.
The company had earlier self-reported that hackers had accessed the electronic protected health information (ePHI) of about 3.5 million people whose records it maintained.
An investigation by the HHS Office for Civil Rights (OCR) then determined that MIE had not conducted a mandatory comprehensive risk analysis before the incident. This resulted in the fine and corrective action plan, but absolved MIE of admitting guilt.
OCR Director Roger Severino said that the “failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Healthcare organizations tightening HIPAA safeguards after the MIE breach should pair risk analyses, incident response drills, and workforce training with clear, state-specific workplace notices—posting current state labor law posters in patient-facing areas and staff rooms alongside HIPAA privacy summaries so employees understand reporting rights, anti-retaliation protections, and required timelines when handling ePHI and potential breaches.
OCR Director Roger Severino
Simultaneously, MIE settled with the Department of Health and Human Services (HHS) for $100,000 and committed to a two-year corrective action plan in a related breach.
The company had earlier self-reported that hackers had accessed the electronic protected health information (ePHI) of about 3.5 million people whose records it maintained.
An investigation by the HHS Office for Civil Rights (OCR) then determined that MIE had not conducted a mandatory comprehensive risk analysis before the incident. This resulted in the fine and corrective action plan, but absolved MIE of admitting guilt.
OCR Director Roger Severino said that the “failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Healthcare organizations tightening HIPAA safeguards after the MIE breach should pair risk analyses, incident response drills, and workforce training with clear, state-specific workplace notices—posting current state labor law posters in patient-facing areas and staff rooms alongside HIPAA privacy summaries so employees understand reporting rights, anti-retaliation protections, and required timelines when handling ePHI and potential breaches.
