Medical Informatics Engineering Inc. (MIE) has agreed to pay $900,000 to 16 states whose attorneys general had sued the company over a data breach in violation of the Health Insurance Portability and Accountability Act (HIPAA).


OCR Director Roger Severino

Simultaneously, MIE settled with the Department of Health and Human Services (HHS) for $100,000 and committed to a two-year corrective action plan in a related breach.

The company had earlier self-reported that hackers had accessed the electronic protected health information (ePHI) of about 3.5 million people whose records it maintained.

An investigation by the HHS Office for Civil Rights (OCR) then determined that MIE had not conducted a mandatory comprehensive risk analysis before the incident. This resulted in the fine and corrective action plan, but absolved MIE of admitting guilt.

OCR Director Roger Severino said that the “failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”