The US Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered healthcare entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information (PHI) of 230,572 individuals was left unsecure and accessible on the internet. The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps MedEvolve will take to resolve these potential violations and protect the security of electronic PHI.