A healthcare company that had not conducted a comprehensive risk analysis prior to a HIPAA breach will pay $100,000, the federal government said Thursday.

Medical Informatics Engineering Inc., which is based in Fort Wayne, IN, also agreed to improve its security practices after the breach exposed protected health information of about 3.5 million people.

MIE self-reported the 2015 incident in which hackers used a compromised user ID and password to access an electronic system. Following a lengthy investigation, the U.S. Department of Health and Human Services Office of Civil Rights Thursday announced MIE had agreed to a fine and corrective action.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

MIE also agreed to complete a risk analysis within 30 days, followed by a corrective action plan.