Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

Data breach
The U.S. Department of Health and Human Services Office for Civil Rights alleges that a medical imaging company's FTP server allowed uncontrolled access to its patients’ health data and enabled search engines to index the health data even after the server was taken offline. (tashka2000/Getty)

A Franklin, Tennessee-based medical imaging company will pay $3 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations for a data breach that exposed the health information of 300,000 patients.

Touchstone Medical Imaging provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida and Arkansas.
 
According to HHS, in May 2014, Touchstone was notified by the FBI and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information. HHS alleges that this uncontrolled access permitted search engines to index the patient data, such as birthdates and social security numbers, which remained visible on the internet even after the server was taken offline.

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

While Touchstone officials initially claimed no protected health information was exposed, during OCR's investigation the diagnostic imaging company subsequently admitted that the sensitive health information of more than 300,000 patients was exposed including names, birthdates, social security numbers and addresses, according to OCR officials. 

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

"OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely," OCR said in a press release.

According to HHS, Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic protected health information. OCR said it also failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider, as required by the HIPAA security and breach notification rules.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.” 

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

HHS recently moved to adjust the monetary penalties it imposes on healthcare providers, health plans and their business associates for HIPAA violations, lowering the annual cap for the least-severe violation from $1.5 million to $25,000. HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers,

However, the action with Touchstone is a settlement and not a fine.

In addition to the monetary settlement (PDF), Touchstone agreed to complete a robust corrective action plan that includes the adoption of business associate agreements, the completion of an enterprise-wide risk analysis as well as comprehensive policies and procedures to comply with the HIPAA rules.

Suggested Articles

We need our federal programs and policies to reflect the goal of improving the health of both women and men.

Two lawsuits were filed suing the Trump administration to overturn a new rule that would allow healthcare workers to deny care over religious or conscience…

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.