The Tennessee-based, medical-imaging company, Touchstone, has agreed to pay a hefty $3-million fine to the Office for Civil Rights (OCR) in order to settle a breach that occurred in May of 2014. They have also accepted further corrective actions in order to eliminate further violations of the Health Insurance Portability and Accountability Act (HIPAA) rules and guidelines.
While Touchstone initially attempted to deny assertions that patient Protected Health Information (PHI) had been exposed, further investigation conducted by the OCR revealed that more than 300,000 patients’ information – which included names, birth dates, social security numbers, and addresses – had been left vulnerable. The incident originally came to light when the Federal Bureau of Investigation (FBI), in conjunction with the OCR, notified Touchstone that one of its FTP servers had been allowing unrestricted access to its patients’ PHI. This oversight was compounded by the fact that search-engine indexing was being permitted to run on the PHI, which left the information visible on the internet after the server had been shut down.
Upon receiving notifications that the breach had occurred, Touchstone had the opportunity to quickly address the breach and avoid further consequences. Unfortunately, deeper examination by the OCR revealed that Touchstone had failed to properly investigate the incident themselves after months had passed since first receiving the notice from the OCR and FBI. This sluggish response also extended to the company’s communication with affected individuals.
The Director of the OCR, Roger Severinno had this to say with regards to the lackluster response exhibited by Touchstone Medical Imaging: “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem.” He went on to further denounce Touchstone’s failure to conduct an acceptable risk analysis of its patients’ information as required by HIPAA, “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
Due to the poor handling of the incident, Touchstone Medical Imaging is now burdened with huge monetary damages and is required to implement a comprehensive corrective plan that will bring them back into HIPAA compliance and hopefully help them to avoid a similar situation in the future. Touchstone is the perfect example of what can happen without the appropriate understanding and utilization of the rules and guidelines provided under HIPAA. Rules and guidelines that are covered extensively at HIPAAgps. Try our Risk-Free trial for 7 days and enjoy the safety and security our service can help provide for you and your business.