NoMoreClipboard Settles HIPAA Claim with OCR – But Wait! There’s More
Medical Informatics Engineering, Inc., the parent company of NoMoreClipboard, recently paid $100,000 to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), and entered into a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlement stems from a 2015 cyberattack that exposed 3.5 million individuals’ protected health information.
Medical Informatics Engineering (MIE) and its subsidiary, NoMoreClipboard, provide electronic medical record services including patient portals and personal health records. In May 2015, MIE discovered a security incident involving unauthorized access to its network by outside attackers. As a business associate of covered entity clients, MIE maintained PHI including, but not limited to, names, addresses, dates of birth, Social Security numbers, e-mail addresses and passwords, health insurance information, and clinical information. MIE reported the data breach to its covered entity clients and OCR. OCR’s investigation revealed that MIE did not conduct a comprehensive security risk analysis to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of MIE’s electronic PHI1. As part of the OCR settlement, MIE will be required to undertake a corrective action plan, including completion of an enterprise-wide risk analysis.
I know what you are thinking – only $100,000 for a large HIPAA data breach?! Well, the story does not end there. In 2018, 16 state attorneys general brought an action against MIE alleging that MIE violated state data protection and deceptive trade practice laws, in addition to HIPAA. This action represented the first multiple-state lawsuit under HIPAA. As a result of the multi-state action, MIE agreed to pay $900,000 and implement numerous additional information security safeguards, including engaging a third-party professional to conduct an annual risk analysis for each of the next five years. In addition to the $100,000 OCR settlement and the $900,000 multi-state action, MIE also faces a class action lawsuit filed by affected individuals alleging a serious risk of harm due to the loss of sensitive personal data.
The recent MIE settlements serve as an important reminder to health care organizations, including both covered entities and business associates, about their obligations to keep sensitive information secure and to periodically conduct and update an enterprise-wide security risk analysis. As OCR Director Roger Severino stated in a press release regarding the MIE settlement, “Entities entrusted with medical records must be on guard against hackers. The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”2