OCR announces $3 million settlement following breach affecting 300,000 patients

On May 6, HHS’ Office of Civil Rights (OCR) announced that Touchstone Medical Imaging has agreed to pay a $3 million settlement following a security incident that exposed the protected health information (PHI) of more than 300,000 patients in 2014.

Touchstone, which provides diagnostic medical imaging and is based in Franklin, Tennessee, was notified by the FBI and OCR in May 2014 that one of its FTP servers allowed unsecure access to files containing PHI, which permitted search engines to index said PHI. The information remained visible online after the server was taken offline. OCR’s investigation found that the exposed PHI included the following:

• Addresses
• Birth dates
• Names
• Social Security numbers

In addition to the breach itself, the subsequent OCR investigation found that Touchstone did not thoroughly investigate the incident until several months after receiving the breach notice from the FBI and OCR. As a result, the breach notification sent by Touchstone to the affected individuals was not completed within 60 days as required by HIPAA’s Breach Notification Rule (45 CFR §§164.400–414). Further, OCR’s investigation found that Touchstone failed to conduct a risk analysis of the vulnerabilities of all of its electronic PHI and failed to have business associate agreements (BAA) in place with its vendors, including its IT support vendor and third-party data center provider.

In addition to the monetary settlement with OCR, Touchstone will also engage in a corrective action plan, including adopting BAAs and completion of an enterprise-wide risk analysis.