[{"innerBlocks":[],"name":"core\/freeform","postId":887,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"selectors":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":3,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":"In May 2015, Medical Informatics Engineering, a vendor operating a health information exchange, discovered suspicious activity involving one of its servers.

The cyber attack was a data breach that potentially compromised the health information of approximately 3.5 million individuals. Four years later, the company has paid a $100,000 fine to the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, and will enter into a corrective action plan that will require it to complete a complete enterprisewide risk analysis.

During an investigation, OCR found that the company did not conduct an analysis prior to the breach, which meant that Medical Informatics Engineering had not performed a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of an organization\u2019s protected health information.

Also See:<\/b> HHS guidance helps doctors conduct risk assessments<\/a>

OCR has recently been using enforcement actions to underscore the need for risk assessments.

\u201cEntities entrusted with medical records must be on guard against hackers,\u201d says OCR Director Roger Severino. \u201cThe failure to identify potential risks and vulnerabilities to electronic protected health information opens the door to breaches and violates HIPAA.\u201d

The corrective action plan for Medical Informatics Engineering is available here<\/a>.
","saveContent":"In May 2015, Medical Informatics Engineering, a vendor operating a health information exchange, discovered suspicious activity involving one of its servers.

The cyber attack was a data breach that potentially compromised the health information of approximately 3.5 million individuals. Four years later, the company has paid a $100,000 fine to the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, and will enter into a corrective action plan that will require it to complete a complete enterprisewide risk analysis.

During an investigation, OCR found that the company did not conduct an analysis prior to the breach, which meant that Medical Informatics Engineering had not performed a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of an organization\u2019s protected health information.

Also See:<\/b> HHS guidance helps doctors conduct risk assessments<\/a>

OCR has recently been using enforcement actions to underscore the need for risk assessments.

\u201cEntities entrusted with medical records must be on guard against hackers,\u201d says OCR Director Roger Severino. \u201cThe failure to identify potential risks and vulnerabilities to electronic protected health information opens the door to breaches and violates HIPAA.\u201d

The corrective action plan for Medical Informatics Engineering is available here<\/a>.
","order":0,"get_parent":{},"attributes":[],"attributesType":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"dynamicContent":""}]

HIE vendor hit with fine, oversight in aftermath of breach

More for you