Medical Informatics Engineering has agreed to pay a civil monetary penalty of $100,000 and a corrective action plan, in a settlement with the Office for Civil Rights around its 2015 data breach impacting 3.5 million patients.

Indiana-based MIE is a software and electronic medical record services vendor to the healthcare sector. On May 26, 2015, MIE officials discovered suspicious activity on one of its servers, calling it a sophisticated cyberattack.

The investigation determined the hackers used a compromised user ID and password to access the protected electronic health information of about 3.5 million patients, including Social Security numbers, clinical data, health information, dates of birth, and email addresses, about two weeks before it was discovered.

It’s still one of the largest breaches in recent healthcare history. Patients filed a class-action lawsuit against MIE soon after, alleging the company “lacked adequate computer systems and data security practices.”

According to Thursday’s statement, MIE failed to conduct a comprehensive risk assessment of potential risks and vulnerabilities to ePHI before the breach occurred – as required by HIPAA.

“Entities entrusted with medical records must be on guard against hackers,” OCR Director Roger Severino, said in a statement. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

Along with the monetary penalty, MIE agreed to a corrective action plan that must include an accurate and thorough analysis of potential security risks and vulnerabilities to its ePHI.

MIE needs to evaluate risks to its own systems, apps, and equipment, as well as a complete inventory of all its facilities, electronic equipment categories, data systems, and apps that maintain, store, or transmit ePHI. The results are due to OCR within 30 days of the effective date.

The risk assessment must be annually reviewed and be “promptly updated… in response to environmental or operational changes affecting the security of ePHI.”

“Following an update to the Risk Analysis, MIE shall assess whether its existing security measures are sufficient to protect its ePHI, and revise its Risk Management Plan, policies and procedures, and training materials, as needed,” according to the resolution.

MIE will also need to develop and implement a risk management plan, “sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.” The plan must include a process and timeline for the implementation, evaluation, and revision of their risk remediation.

The risk management plan is due to OCR within 30 days of the finalization of its risk analysis.

Also notable, the action plan includes a section dedicated to reportable events. Specifically, MIE is required to investigate incidents where a workforce member potentially fails to comply with the company’s security policies and procedures.

“If MIE, after review and investigation, determines that a member of its workforce has failed to comply with such policies and procedures, the MIE Contact shall report such event(s) to HHS,” the resolution reads. “Such violations shall be known as ‘Reportable Events.’”

MIE must report the incident to the Department of Health and Human Services, including a complete description of the event, provisions or policies implicated, and a “description of the actions taken and any further steps MIE plans to take to address the matter to mitigate any harm, and to prevent it from recurring.”

This is the second OCR settlement of the month – and year, as well as the first announced settlement after OCR said it would reduce the maximum civil penalties for HIPAA violations. On May 6, OCR settled with Tennessee-based Touchstone Medical Imaging for $3 million, following the 2014 data breach impacting 307,000 patients.