The U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with MMG Fusion, LLC resolving an investigation into potential violations of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule following a breach affecting approximately 15 million individuals.
Investigation Timeline and Breach Activity
MMG Fusion, LLC is a Maryland software company that operates as a business associate because it gets access to protected health information (PHI) from HIPAA covered healthcare providers and provides software used to communicate with patients of those covered entities. The Office for Civil Rights initiated the investigation in March 2023 after receiving a complaint on January 6, 2023 concerning an unreported security incident at MMG Fusion. The complaint related to an alleged data breach that had not been reported to the Office for Civil Rights and had not been disclosed to affected covered entities.
The investigation determined that an unauthorized actor infiltrated MMG Fusion’s information system in December 2020 and gained access to PHI. The accessed information included names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The unauthorized actor also exfiltrated the data from MMG Fusion’s network and posted the information on the dark web.
Regulatory Findings
The Office for Civil Rights determined that the incident resulted in an impermissible disclosure of PHI affecting approximately 15 million individuals. The investigation also determined that MMG Fusion had not conducted an accurate and thorough risk analysis to identify risks and vulnerabilities to electronic protected health information prior to the breach. The investigation further determined that MMG Fusion failed to notify affected covered entity clients about the breach as required under the HIPAA Breach Notification Rule.
Settlement Terms and Financial Resolution
The Office for Civil Rights resolved the investigation through a settlement agreement with MMG Fusion rather than pursuing a civil monetary penalty through enforcement proceedings. Under the settlement terms, MMG Fusion agreed to pay $10,000 to the Office for Civil Rights. The Office for Civil Rights considered the financial condition of MMG Fusion when determining the settlement amount. The settlement also requires MMG Fusion to comply with a corrective action plan that will be monitored by the Office for Civil Rights for three years.
Corrective Action Plan Requirements
The corrective action plan requires MMG Fusion to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).
MMG Fusion must develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.
The company must develop, maintain, and revise written policies and procedures to ensure compliance with the HIPAA Privacy Rule and HIPAA Security Rule.
MMG Fusion must ensure that workforce members receive training regarding policies and procedures related to the HIPAA Privacy Rule and HIPAA Security Rule.
The company must also perform a breach risk assessment related to the December 2020 cyberattack and notify affected covered entities about the breach incident to the extent possible.
Additional corrective action plan requirements include providing the Office for Civil Rights with training materials used for workforce training and providing a comprehensive list of affected covered entity clients.
MMG Fusion must also provide covered entity clients with the identities of individuals whose ePHI is reasonably believed to have been impacted to the extent possible.