Imaging services provider Touchstone Medical Imaging of Franklin, TN, will pay $3 million to settle potential HIPAA violations from a data breach that exposed protected health information (PHI) online for more than 300,000 patients, according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The radiology group, which provides imaging services in Nebraska, Texas, Colorado, and Arkansas, was notified in May 2014 by the FBI and OCR that one of its FTP servers allowed uncontrolled access to patients' PHI. As a result, search engines could index this information, which remained visible on the internet even after the server was taken offline, according to HHS.
Although Touchstone initially claimed that no personal patient information had been exposed, it subsequently admitted during OCR's investigation that more than 300,000 patients had their data exposed, including names, birth dates, social security numbers, and addresses, HHS said. Furthermore, OCR found that Touchstone did not thoroughly investigate the security incident until several months after being informed of the breach by both the FBI and OCR, a delay that led to an untimely notification of the breach to all affected individuals, according to HHS.
OCR also found that Touchstone failed to accurately and thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI. What's more, Touchstone failed to have business associate agreements in place -- as required by HIPAA -- with its vendors, including its IT support firm and a third-party data center provider.
In addition to the $3 million settlement, Touchstone has also agreed to a corrective action plan, which will include the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and implementation of comprehensive policies and procedures to comply with the HIPAA rules.