Federal regulators fined practice management software and services vendor MedEvolve $350,000 in the aftermath of an investigation into a 2018 HIPAA breach that involved a file transfer protocol server mishap. The company said the incident was the result of “a singular human error.”
The Department of Health and Human Services’ Office for Civil Rights on Tuesday said MedEvolve had agreed to pay the financial settlement and to implement a corrective action plan to resolve potential HIPAA violations. The agency said an unsecured company FTP server had exposed the electronic protected health information of nearly 231,000 individuals.
The incident affected two MedEvolve clients – Premier Immediate Medical Care and the office of Dr. Beverly Held. During its investigation into the incident, the agency said it had found evidence that the PHI for both covered entities was viewed by at least one unauthorized individual during the four months the FTP server was open to the public (see: Health Data Breach Victim Tally for 2018 Soars).