Imaging Service Company's Breach results in $3,000,000 Settlement
The recent Office for Civil Rights (OCR) announcement of a settlement with a Tennessee diagnostic medical imaging services company due to a breach exposing 300,000 patients' protected health information (PHI) is a reminder of the importance of following all HIPAA Rules.
According to OCR, Touchstone Medical Imaging has agreed to pay $3,000,000 and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules.
Touchstone Medical Images was notified by both the FBI and OCR that one of its FTP servers allowed uncontrolled access to PHI, which permitted search engines to index the PHI of Touchstone's patients. Once the server was taken offline, there was an additional issue due to the information remaining visible on the internet. Yet, according to OCR's announcement, Touchstone initially claimed that no patient PHI was exposed. Subsequently, once OCR's investigation was underway, they changed their statement revealing that PHI of more than 300,000 patients' PHI was exposed, including names, dates of birth, social security numbers, and addresses.
Additional findings of OCR's investigation:
- The security incident was not thoroughly investigated by Touchstone until several months after OCR and the FBI notified them of the breach.
- Notification to individuals affected by the breach was untimely.
- OCR's investigation found that Touchstone failed to conduct an accurate and thorough security risk analysis (SRA) of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI).
- Touchstone did not have a business associate agreement in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.
In addition to the monetary settlement, OCR indicated that Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide SRA, and comprehensive policies and procedures to comply with the HIPAA Rules.
Have questions about performing an SRA, implementing policies and procedures, or understanding business associate relationships?
We can help! Contact us by phone: 855-427-0427 or by email: support@hcp.md.