Arkansas business associate MedEvolve settles HIPAA investigation with HHS Civil Rights Office for $350,000 over illegal disclosure of protected medical information on unsecured servers.

MedEvolve, Inc. has partnered with a business alliance company that provides clinical management, revenue cycle management, and clinical analytics software services to eligible healthcare organizations. Recently, they announced a settlement for violations affecting more than 200,000 people. The settlement ended the OCR investigation into a data breach that left a server containing protected health information for over 200,000 people unsecured and accessible over the internet.

HIPAA is a federal law that mandates the establishment of national standards to protect the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most healthcare breaches and set requirements that HIPAA-regulated organizations must follow to protect the privacy and security of healthcare information. Potential HIPAA violations in this case include the lack of analysis to determine risks and vulnerabilities to electronically protected health information and the lack of business collaboration agreements with subcontractors.

The HIPAA rule provides that covered entities and business associates are subject to permissible uses and disclosures of information. It is required to conclude a contract documenting Protected medical information, that appropriate safeguards are in place, and that covered entities are notified of any violations. As part of the settlement, MedEvolve will pay its OCR $350,000 and develop a corrective action plan that will identify the steps MedEvolve will take to protect the security of patient electronic health information.

“Where electronically protected medical information is stored, ensuring that security measures are in place to protect that information is critical to cybersecurity and patient privacy,” said OCR Director Melanie Fontes Reiner. It is an integral part of the protection of HIPAA-regulated entities. MedEvolve began its investigation after receiving a breach notification report stating that an FTP server containing medical information was openly accessible on the Internet.

OCR investigates all reports received of unsecured and protected medical information breaches affecting more than 500 people. It is critical that HIPAA-covered entities and their business associates improve their efforts to identify, stop, protect, detect, and respond to cybersecurity threats and malicious actors. As a result of the settlement agreement, MedEvolve will have him monitored by OCR for two years to ensure its compliance with HIPAA security regulations.

The resolution agreement and corrective action plan are available at OCR works to enforce HIPAA regulations that protect the privacy and security of people’s health information. If you believe your health information privacy or civil rights have been violated, or you know someone who has, you may file a complaint with OCR at

Leave a Reply