Extensive HIPAA Failures Lead to $3 Million for Touchstone Medical Imaging
The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed that a settlement has been agreed between with the Franklin, TN-based diagnostic medical imaging services firm, Touchstone Medical Imaging. The settlement resolves many breaches of HIPAA Rules identified by OCR during the review of a 2014 data breach.
Touchstone Medical Imaging has agreed to a settlement of $3,000,000 in relation to the violations and will implement corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and noncompliance with HIPAA Rules that went on for a long period of time. OCR alleged 8 separate breaches across 10 HIPAA provisions. The settlement resolves the HIPAA case with no acceptance of liability.
On May 9, 2014, Touchstone Medical Imaging was advised by the FBI that one of its FTP servers was accessible over the Internet was permitted to establish anonymous connections to a shared directory. The directory stored files that included the protected health information (PHI) of 307,839 people.
Due to the lack of access controls, files had been indexed by search engines and could be found by the public with basic Internet searches. Even when the server was taken offline, patient data could still be accessed using the Internet. The failure to secure the server was a violation of 45 C.F.R. § 164.312(a)(1).
The security breach was made known to OCR, but Touchstone initially argued that no PHI had been exposed. OCR began an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been breached. The types of data that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.
Along with the impermissible disclosure of 307,839 individuals’ PHI – a breach of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially alerted regarding the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).
Due to the delayed investigation, impacted individuals did not receive notifications about the exposure of their PHI until 147 days after the identification of the breach: Well over the 60-day Breach Notification Rule’s maximum time limit for issuing alerts. The delayed breach notices were a breach of 45 C.F.R. § 164.404. Similarly, a media notice was not published about the breach for 147 days, in violation of 45 C.F.R. § 164.406.
During its investigation, OCR found that that Touchstone had failed to complete a thorough, group-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).
OCR also discovered two cases of Touchstone having failed to enter into a business associate agreement with vendors before providing access to systems containing ePHI.
OCR cites the use of an IT services company – MedIT Associates – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).
Along with this, a violation of 45 C.F.R. § 164.308(b), XO Communications continues to be put to use without a business associate agreement completed.
OCR Director Roger Severino said: “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
The settlement shortly after OCR revealed it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial pines, when dangerous violations of HIPAA Rules are discovered and healthcare groups fail to take prompt action to correct violations, the financial penalties can be high.