Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

Data breach
The U.S. Department of Health and Human Services Office for Civil Rights alleges that a medical imaging company's FTP server allowed uncontrolled access to its patients’ health data and enabled search engines to index the health data even after the server was taken offline. (tashka2000/Getty)

A Franklin, Tennessee-based medical imaging company will pay $3 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations for a data breach that exposed the health information of 300,000 patients.

Touchstone Medical Imaging provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida and Arkansas.
 
According to HHS, in May 2014, Touchstone was notified by the FBI and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information. HHS alleges that this uncontrolled access permitted search engines to index the patient data, such as birthdates and social security numbers, which remained visible on the internet even after the server was taken offline.

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

While Touchstone officials initially claimed no protected health information was exposed, during OCR's investigation the diagnostic imaging company subsequently admitted that the sensitive health information of more than 300,000 patients was exposed including names, birthdates, social security numbers and addresses, according to OCR officials. 

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

"OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely," OCR said in a press release.

According to HHS, Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic protected health information. OCR said it also failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider, as required by the HIPAA security and breach notification rules.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.” 

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

HHS recently moved to adjust the monetary penalties it imposes on healthcare providers, health plans and their business associates for HIPAA violations, lowering the annual cap for the least-severe violation from $1.5 million to $25,000. HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers,

However, the action with Touchstone is a settlement and not a fine.

In addition to the monetary settlement (PDF), Touchstone agreed to complete a robust corrective action plan that includes the adoption of business associate agreements, the completion of an enterprise-wide risk analysis as well as comprehensive policies and procedures to comply with the HIPAA rules.

Suggested Articles

Consumers could have saved billions in 2017 if price variation for certain services was addressed, according to a new report. 

Officials announced on Friday a proposal to remove healthcare protections for transgender patients and women seeking to terminate pregnancies.

The American Medical Informatics Association says ONC's proposed rule doesn't go far enough to put patients and providers in the driver's seat…