Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

Data breach
The U.S. Department of Health and Human Services Office for Civil Rights alleges that a medical imaging company's FTP server allowed uncontrolled access to its patients’ health data and enabled search engines to index the health data even after the server was taken offline. (tashka2000/Getty)

A Franklin, Tennessee-based medical imaging company will pay $3 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations for a data breach that exposed the health information of 300,000 patients.

Touchstone Medical Imaging provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida and Arkansas.
 
According to HHS, in May 2014, Touchstone was notified by the FBI and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information. HHS alleges that this uncontrolled access permitted search engines to index the patient data, such as birthdates and social security numbers, which remained visible on the internet even after the server was taken offline.

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

While Touchstone officials initially claimed no protected health information was exposed, during OCR's investigation the diagnostic imaging company subsequently admitted that the sensitive health information of more than 300,000 patients was exposed including names, birthdates, social security numbers and addresses, according to OCR officials. 

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

"OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely," OCR said in a press release.

According to HHS, Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic protected health information. OCR said it also failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider, as required by the HIPAA security and breach notification rules.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.” 

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

HHS recently moved to adjust the monetary penalties it imposes on healthcare providers, health plans and their business associates for HIPAA violations, lowering the annual cap for the least-severe violation from $1.5 million to $25,000. HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers,

However, the action with Touchstone is a settlement and not a fine.

In addition to the monetary settlement (PDF), Touchstone agreed to complete a robust corrective action plan that includes the adoption of business associate agreements, the completion of an enterprise-wide risk analysis as well as comprehensive policies and procedures to comply with the HIPAA rules.

Suggested Articles

Health IT company Cerner announced a definitive agreement to acquire IT consulting and engineering firm AbleVets as a wholly-owned subsidiary.

Centene announced another five states have approved its pending $17B merger with WellCare, bringing total number of approvals to 24.

Tech giant Google has tapped former Obama administration healthcare official Karen DeSalvo as its first chief health officer.