The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $3 million settlement with Touchstone Medical Imaging following a 2014 data breach.
The Franklin, TN-based diagnostic medical imaging services company agreed to the settlement to resolves multiple violations of HIPAA Rules. They have further agreed to adopt a corrective action plan to rectify its compliance issues. However, the settlement comes with no admission of liability by Touchstone.
The size of the settlement is due to the persistent non-compliance with HIPAA discovered by OCR’s investigators. OCR alleged 8 separate violations across 10 HIPAA provisions.
On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was had been indexed by search engines and could be accessed by unauthorized individuals. The directory contained files that included the protected health information (PHI) of 307,839 individuals.
The security breach was attributed to a lack of access controls. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 CFR § 164.312(a)(1).
The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach, during which Touchstone admitted that PHI had been exposed. The types of information exposed included names, addresses, dates of birth, and Social Security numbers.
In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 CFR § 164.502(a) – OCR discovered Touchstone had not adequately investigated the breach until September 26, 2014. This delay of several months after initial notification from the FBI was a violation of 45 CFR §164.308(a)(6)(ii).
As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach. HIPAA’s Breach Notification Rule mandates breach notifications to be issued within 60 days of the breach’s discovery. The delayed breach notices were a violation of 45 CFR § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 CFR § 164.406.
OCR investigators discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI. This is a violation of 45 CFR § 164.308(a)(1)(ii)(A).
OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors before providing access to systems containing ePHI. OCR cites the use of MedIT Associates-an IT services company-without a BAA as a violation 45 CFR §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 CFR § 164.308(a)(1)(ii)(A).
Also, in violation of 45 CFR § 164.308(b), XO Communications continues to be used without a business associate agreement in place.
“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
The settlement comes just a few days after OCR announced it had reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. However, the maximum penalty was only reduced for more minor HIPAA violations. Touchstone’s persistent non-compliance justifies the $3 million settlement.