chevron-down Created with Sketch Beta.
May 19, 2023

HHS OCR Settles with MedEvolve for $350,000 Following Unlawful Disclosure of Protected Health Information

On May 16, 2023, HHS Office for Civil Rights (OCR) announced a settlement with MedEvolve, Inc., a healthcare practice management, revenue cycle management, and data analytics firm in Arkansas.  According to the OCR, a server containing protected health information was “left unsecure and accessible on the internet.” The data breach was found to have impacted over 230,000 individuals. Accessible information included patient names, telephone numbers, billing addresses, account numbers for doctors’ offices and primary health insurers, and some Social Security numbers.

MedEvolve, Inc. has agreed to a $350,000 monetary penalty, two years of monitoring, and a corrective action plan. The corrective action obligations include conducting a risk analysis; developing and implementing a risk management plan; developing, maintaining, and revising written policies on the protection of individually identifiable health information; and “augment[ing]” MedEvolve’s training program development. 

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.