On May 16, 2023, HHS Office for Civil Rights (OCR) announced a settlement with MedEvolve, Inc., a healthcare practice management, revenue cycle management, and data analytics firm in Arkansas. According to the OCR, a server containing protected health information was “left unsecure and accessible on the internet.” The data breach was found to have impacted over 230,000 individuals. Accessible information included patient names, telephone numbers, billing addresses, account numbers for doctors’ offices and primary health insurers, and some Social Security numbers.
MedEvolve, Inc. has agreed to a $350,000 monetary penalty, two years of monitoring, and a corrective action plan. The corrective action obligations include conducting a risk analysis; developing and implementing a risk management plan; developing, maintaining, and revising written policies on the protection of individually identifiable health information; and “augment[ing]” MedEvolve’s training program development.