Q&A: Steps to follow if PHI is exposed online

January 23, 2020
Medicare Web

Q: In the Office for Civil Rights' (OCR) $3 million settlement with Touchstone Medical Imaging, it was discovered that one of its file transfer protocol (FTP) servers allowed uncontrolled access to its patients’ PHI. This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline. What common missteps can providers avoid in this arena?

A: If the FBI or OCR calls and lets you know your data is exposed on the Internet, the first answer should not be to claim the FBI or OCR are wrong—that no PHI was exposed. That doesn’t put you in good stead with the regulators, especially if your data is exposed. Your first answer should be a big thanks and that you will quickly investigate and, if necessary, protect the PHI.

Touchstone’s second big misstep was to not notify those impacted by the breach, representing a gap between when the breach was discovered to the date Touchstone informed its patients of the breach. Covered entities (CE) have a maximum of 60 calendar days to notify individuals and OCR. Touchstone took 147 days to get the notifications out.

There were other significant mistakes made by Touchstone, which include the following:

  • Not properly securing the FTP server, permitting anonymous FTP connections to a shared directory
  • Not implementing technical policies and procedures to allow access only to those individuals or software programs that have been granted access rights to an FTP server that maintained ePHI
  • Not conducting a timely risk analysis
  • Not executing a business associate (BA) agreement with one of its vendors who had access to Touchstone PHI

In the end, this laundry list of missteps should serve as a warning to CEs and BAs. OCR was and is taking information security and compliance seriously. To not do so could lead to adverse headlines and costly penalties.

Editor’s note: Chris Apgar, CISSP, is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.

Related Topics: 
Ask the Expert, HIPAA