Tennessee-based medical imaging company will pay $3M HIPAA settlement

Posted on: Wednesday, May 8, 2019 By: KorchekStaff

Touchstone Medical Imaging has agreed to pay $3 million to HHS' Office for Civil Rights to settle a breach that exposed more than 300,000 patients' protected health information.

Touchstone Medical Imaging, a diagnostic imaging services company based in Franklin, Tennessee, has agreed to pay $3 million to HHS’ Office for Civil Rights to settle potential HIPAA violations.

The company has also agreed to adopt a corrective action plan, which includes adopting business associate agreements, completing an enterprise-wide risk analysis and policies and procedures to comply with HIPAA.

According to its website, Touchstone has imaging centers in Arkansas, Colorado, Florida, Montana, Nebraska, Oklahoma and Texas.

In May 2014, the FBI and OCR notified Touchstone that one of its FTP servers allowed uncontrolled access to its patients’ protected health information, according to HHS. Search engines could index the patients’ PHI, which remained visible online even after the server was taken offline.

Touchstone initially said that no patient PHI was exposed, according to HHS.

After OCR’s investigation, Touchstone admitted that the PHI of more than 300,000 patients was exposed. This included names, birth dates, Social Security numbers and addresses.

The investigation found Touchstone didn’t thoroughly investigate the security incident until several months after the FBI and OCR notified it of the breach. Further, the OCR investigation found Touchstone failed to conduct a thorough risk analysis of potential risks and vulnerabilities to the confidentiality and availability of its electronic PHI. OCR also said Touchstone failed to have business associate agreements in place with its vendors.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Touchstone Medical Imaging did not immediately respond to a request for comment.

This news regarding Touchstone comes after HHS announced it will set maximum annual HIPAA fines based on an organization’s level of culpability.