$3 Million Fine Issued for PHI Breach of Over 300, 500 Patients


Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.

The Breach Discovery

The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched.  The investigation found that the compromised email addresses were first accessed in January 2019.

Potentially Accessed Information

The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.

Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.

In their notice, Metrocare writes:

We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.

Not Their First Offense

What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.

Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.

Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.

The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.



The Department associated with Health and Human Services’ (HHS) Workplace for Civil Rights (OCR) provides announced a settlement with Touchstone Healthcare Imaging (“Touchstone”) for their potential infractions of HIPAA Security and Infringement Notification Rules. Touchstone has decided to pay $3, 000, 000 plus adopt a corrective action plan.


Touchstone is a diagnostic healthcare imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Illinois.


The Infringement


In May 2014, Touchstone was informed by the F and OCR that one of its FILE TRANSFER PROTOCOL servers was giving uncontrolled, illegal access to protected health information (PHI). This particular uncontrolled access allowed files to become indexed by search engines, meaning a good unauthorized individual could access another’s PHI simply by performing an Internet lookup.


Initially, Touchstone stated that there was no PHI orient by the uncontrolled server. The story transformed during OCR’s investigation, when Touchstone ultimately admitted that the PHI associated with over 300, 000 patients is at fact, exposed. The information involved in the publicity includes names, birth dates, interpersonal security numbers, and addresses.


Even after the notice had been issued to Touchstone and the machine was taken offline, PHI continued to be visible on the Internet.


The Investigation


OCR found that Touchstone is at violation of multiple HIPAA guidelines. Following the breach notice issued by FBI and OCR, Touchstone failed to conduct a thorough investigation of the infringement for several months. Not only did the particular delayed investigation of the breach break HIPAA, but also resulted in delayed infringement notifications for the affected individuals as well as a postpone in notifying the media – both additional HIPAA violations.


Further investigation revealed that will Touchstone had also failed to carry out an accurate and thorough risk evaluation of its organization, a critical component inside identifying potential risks to the privacy, integrity, and availability of electronic PHI (ePHI) – and the violations do not stop there.


OCR identified two situations where Touchstone failed to have Business Associate Contracts in place with their vendors – which includes their IT support and a third-party data center, another HIPAA infringement.


The Arrangement


The arrangement of $3 million dollars is not the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust further action plan must be adopted to address their particular HIPAA compliance deficiencies, including undertaking business associate agreements, completing a good enterprise-wide risk analysis, and implementing HIPAA policies and procedures.


Although the number of HIPAA infractions associated with this breach is intensive, all serve as an important reminder from the requirements under HIPAA that can not be ignored. Performing a risk evaluation, having Business Associate Agreements in position for the entire duration of a vendor agreement, implementing and enforcing policies plus procedures, ensuring technical safeguards have been in place, and training employees upon HIPAA and security awareness are simply a few key pieces of HIPAA conformity that should be addressed and evaluated regularly.


In addition , this situation highlights the necessity of taking quick action following a breach. Had Touchstone started their corrective action initiatives immediately following their notification from the F and OCR, several violations might have been avoided – the violations related to delayed breach notifications specifically.Illinois

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282