Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.