Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

US healthcare service provider fined US$350k over 2018 data breach

Following what it calls a “singular human error”, a US healthcare service provider has been fined US$350,000 following a data breach that saw the records of nearly 231,000 people revealed on an unsecured FTP server.

user icon David Hollingworth
Wed, 17 May 2023
US healthcare service provider fined US$350k over 2018 data breach
expand image

The Department of Health and Human Services’ Office for Civil Rights (OCR)began its investigation in 2018 under the auspices of the Health Insurance Portability and Accountability Act (HIPAA).

The company, MedEvolve, has agreed to pay the fine and has confirmed that it will “implement a corrective action plan” to make sure such an incident does not happen again and that it will work harder to secure patient health information held in its systems.

The initial incident saw the patient data of two of MedEvolve’s clients, the office of Dr Beverly Held and Premier Immediate Medical Care. The affected data included names and addresses, telephone numbers and email addresses, health insurance details, doctor account numbers, and in some cases, Social Security numbers.

============
============

The data was unsecured for four months and was viewed by at least one unauthorised person.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cyber security and the protection of patient privacy,” said OCR director Melanie Fontes Rainer in an announcement. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

MedEvolve has said the incident has had no impact on its own healthcare solutions.

“The incident was a result of a data file that was inadvertently placed on [an] FTP server that was separate from our client hosting environment,” the company said in a statement.

“The server was immediately secured upon discovery of the file, and no malicious use of patient information has ever been detected.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.