Share this article on:
A Tennessee-based provider diagnostic radiology services has announced that it has suffered a data breach that has potentially exposed the billing information and personal identifiers of 307,000 individuals from all over the United States.
Touchstone Medical Imaging, LLC discovered an infrequently used folder containing patient data was accessible via the internet. The issue was discovered on May 9, 2014 and access to the folder and the files it contained was immediately blocked.
According to a statement released by Touchstone Medical Imaging, “We immediately secured the folder and removed it from public view. We also began an internal investigation, which initially led us to believe that the patient information in the folder was not readable.” The statement went on to say “On Sept. 5, 2014, we obtained new information that suggested that the patient information may have been readable and included patients’ names, dates of birth, addresses, telephone numbers, health insurer names, radiology procedures, diagnoses and in some instances, Social Security numbers. Medical records were not included.”
On October 3, in accordance with Privacy and Security Rules, TMI sent breach notification letters to all affected patients advising them of the potential exposure of some of their personal data. Although the files were accessible, TMI had no reason to believe that the data had been accessed or used improperly, and it stated that it was notifying patients “in abundance of caution”.
The data breach has been reported to the Department of Health and Human Services and the incident has now been posted online on what is often referred to as its “Wall of Shame”. While this is not the largest data breach to occur this year, it certainly ranks as one of the biggest exposures of patient data of 2014.
The Office for Civil Rights investigates reports of data breaches and Touchstone could face a financial penalty and other sanctions for the failure to adequately protect the data of its patients. A breach of this magnitude could incur a heavy financial penalty, although the seriousness of the breach, the significant risk of harm and the company’s actions to mitigate risk should be taken into consideration.
It would appear that the breach was caused by an employee oversight or procedural IT failures. Earlier this year, the OCR investigated Phoenix Cardiac Surgery P.C for posting protected data in an online calendar which was publically accessible and it issued the healthcare provider with a $100,000 fine. The extent of data exposed in this incident could see a more significant financial penalty applied.
This incident demonstrates how a simple oversight can result in the exposure of hundreds of thousands of records and why a thorough risk analysis of all IT systems must be conducted to identify all vulnerabilities. Ongoing monitoring services are also required to ensure that systems remain protected and security breaches are identified in the shortest possible timeframe.