MedEvolve Network Server Incident Results in $350,000 HIPAA Fine

Posted By Madilyn Moeller, Friday, May 19, 2023

Computer code

Due to a July 2018 incident, the Office for Civil Rights (OCR) investigated MedEvolve to determine if the business associate was HIPAA compliant. The result? A $350,000 HIPAA fine for potentially violating several provisions of the HIPAA Privacy and Security Rules.

MedEvolve Network Server Breach

MedEvolve, Inc. is a practice and revenue cycle management, and practice analytics software that provides services to covered entities. In July 2018, MedEvolve submitted a breach report to OCR indicating that they experienced a network server incident that affected 230,572 patients.

The report noted that the breach left protected health information (PHI) unsecure and accessible online. According to statements by MedEvolve, “The incident did not involve or have any impact on our technology solutions. The incident was a result of a data file that was inadvertently placed on a file transfer (FTP) server that was separate from our client hosting environment. The server was immediately secured upon discovery of the file, and no malicious use of patient information has ever been detected.”

In the press release issued by the HHS, OCR Director Melanie Fontes Rainer stated, “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy. HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

Read more at Compliancy Group >>