Tennessee-Based Medical Imaging Company Pays $3M to Settle HIPAA Violations

May 7, 2019

A Franklin, Tenn.-based medical imaging company will pay $3 million to the Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations for a 2014 data breach that exposed the protected health information (PHI) of 300,000 patients. 

The company, Touchstone Medical Imaging, has also agreed to adopt a corrective action plan as part of the settlement, the U.S. Department of Health and Human Services (HHS) announced this week.

Touchstone—which provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas—was notified by the FBI and OCR in 2014 that one of its FTP servers allowed uncontrolled access to its patients PHI. The company initially said that no patient PHI was exposed, but an OCR investigation revealed that Touchstone later admitted that the health data of more than 300,000 patients was exposed.

This data included names, birth dates, social security numbers, and addresses. OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR, according to the government’s press release.

Federal officials attested that Touchstone’s notification to individuals affected by the breach was also untimely. What’s more, OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

The uncontrolled access enabled search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline, officials said.

 “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure,” he added.

Beyond the monetary settlement, Touchstone “will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules,” federal officials stated.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?