Revenue cycle management company MedEvolve agreed to pay $350,000 to settle a HIPAA investigation from the HHS Office for Civil Rights that stemmed from a 2018 data breach that affected 230,572 people.
The office began an investigation in 2019 following a breach notification report stating that an FTP server containing electronic protected health information was openly accessible to the internet, according to a May 16 news release.
Potential HIPAA violations in the case included the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the company, and the failure to enter into a business associate agreement with a subcontractor, according to the release.
MedEvolve also agreed to implement a corrective action plan that identifies steps the company will take to resolve the potential violations and protect the security of electronic patient health information, according to the release.