Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

A Franklin, Tennessee-based medical imaging company will pay $3 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations for a data breach that exposed the health information of 300,000 patients.

Touchstone Medical Imaging provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida and Arkansas.

According to HHS, in May 2014, Touchstone was notified by the FBI and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information. HHS alleges that this uncontrolled access permitted search engines to index the patient data, such as birthdates and social security numbers, which remained visible on the internet even after the server was taken offline.

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

While Touchstone officials initially claimed no protected health information was exposed, during OCR's investigation the diagnostic imaging company subsequently admitted that the sensitive health information of more than 300,000 patients was exposed including names, birthdates, social security numbers and addresses, according to OCR officials. 

"OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely," OCR said in a press release.

According to HHS, Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic protected health information. OCR said it also failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider, as required by the HIPAA security and breach notification rules.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.” 

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

HHS recently moved to adjust the monetary penalties it imposes on healthcare providers, health plans and their business associates for HIPAA violations, lowering the annual cap for the least-severe violation from $1.5 million to $25,000. HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers,

However, the action with Touchstone is a settlement and not a fine.

In addition to the monetary settlement (PDF), Touchstone agreed to complete a robust corrective action plan that includes the adoption of business associate agreements, the completion of an enterprise-wide risk analysis as well as comprehensive policies and procedures to comply with the HIPAA rules.