The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced a settlement with Touchstone Medical Imaging (“Touchstone”) for their potential violations of HIPAA Security and Breach Notification Rules. Touchstone has agreed to pay $3,000,000 and adopt a corrective action plan.
Touchstone is a diagnostic medical imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Arkansas.
The Breach
In May 2014, Touchstone was informed by the FBI and OCR that one of its FTP servers was giving uncontrolled, unauthorized access to protected health information (PHI). This uncontrolled access allowed files to be indexed by search engines, meaning an unauthorized individual could access another’s PHI simply by performing an Internet search.
Initially, Touchstone claimed that there was no PHI expose by the uncontrolled server. The story changed during OCR’s investigation, when Touchstone ultimately admitted that the PHI of over 300,000 patients was in fact, exposed. The information involved in the exposure includes names, birth dates, social security numbers, and addresses.
Even after the notice was issued to Touchstone and the server was taken offline, PHI remained visible on the Internet.
The Investigation
OCR found that Touchstone was in violation of multiple HIPAA rules. Following the breach notice issued by the FBI and OCR, Touchstone did not conduct a thorough investigation of the breach for several months. Not only did the delayed investigation of the breach violate HIPAA, but also resulted in delayed breach notifications for the affected individuals as well as a delay in notifying the media – both additional HIPAA violations.
Further investigation revealed that Touchstone had also failed to conduct an accurate and thorough risk analysis of its organization, a critical component in identifying potential risks to the confidentiality, integrity, and availability of electronic PHI (ePHI) – and the violations don’t stop there.
OCR identified two situations where Touchstone failed to have Business Associate Agreements in place with their vendors – including their IT support and a third-party data center, another HIPAA violation.
The Settlement
The settlement of $3 million dollars isn’t the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust corrective action plan must be adopted to address their HIPAA compliance deficiencies, including carrying out business associate agreements, completing an enterprise-wide risk analysis, and adopting HIPAA policies and procedures.
Although the number of HIPAA violations associated with this breach is extensive, all serve as an important reminder of the requirements under HIPAA that cannot be ignored. Performing a risk analysis, having Business Associate Agreements in place for the entire duration of a vendor contract, implementing and enforcing policies and procedures, ensuring technical safeguards are in place, and training employees on HIPAA and security awareness are just a few key pieces of HIPAA compliance that should be addressed and evaluated routinely.
In addition, this case highlights the necessity of taking swift action following a breach. Had Touchstone started their corrective action efforts immediately following their notification from the FBI and OCR, several violations could have been avoided – the violations associated with delayed breach notifications specifically.
