On May 17, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with MedEvolve, Inc. for $350,000. MedEvolve provides practice and revenue cycle management and practice analytics software services to health care entities. The settlement resulted from MedEvolve’s alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) related to a data breach of the protected health information (PHI) of 230,572 individuals that occurred in 2018. The OCR alleged that MedEvolve failed to analyze and assess risks and vulnerabilities to electronic PHI, and failed to enter into a business associate agreement with its subcontractor.

In July 2018, MedEvolve notified the OCR of a data breach resulting from PHI being made openly accessible via the internet through an FTP server. The PHI effected by this incident included patient names, addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and some Social Security numbers.

In addition to the $350,000 penalty, MedEvolve has agreed to:

  • Conduct a risk analysis to determine risks and vulnerabilities to electronic patient data and its patient data systems;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • As necessary, develop, maintain, and revise its HIPAA policies and procedures; and,
  • Enhance and/or supplement its existing HIPAA training.

To read the complete resolution agreement, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.