Medical Informatics Engineering to pay fines totaling $1 million
Medical Informatics Engineering will pay settlements totaling $1 million for its role in compromising protected health information.
The company, which offers patient engagement platforms to providers, came to agreements with the HHS Office for Civil Rights and a multi-state group of attorneys general to resolve the May 2015 breach, which affected the data of 3.9 million individuals.
The company has engaged with counsel representing patients to negotiate final terms of a settlement in a class action filing. Douglas Horner, CEO at Medical Informatics, says the company has fully cooperated with OCR and state investigations.
The company detected the suspicious activity on a server on May 26, 2015—about two weeks after the incursion—and immediately reported it.
“We partnered with a team of third-party experts and the FBI to rapidly remediate attack vectors used by the intruders. We have made significant investments in additional safeguards to enhance our security posture, including security personnel, policies and procedures, controls, and monitoring and prevention tools,” Horner says. “We retained additional third-party vendors and applications to assist with both the protection of health information and auditing/certification of our information security program.”
Horner also notes that the organization paid for two years of credit monitoring protection for patients. “Our organization has been open and transparent about the attack since we discovered it, and we notified law enforcement authorities within hours to share information on the perpetrators of this security incident.”