Touchstone Medical Imaging (Touchstone) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a no-fault settlement and two-year corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
Touchstone provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas. According to the HHS-OCR press release and settlement agreement, OCR and the Federal Bureau of Investigation (FBI) notified Touchstone in early May 2014 that its File Transfer Protocol (FTP) servers allowed uncontrolled access to its patients’ protected health information (PHI). By mid-May 2014, OCR confirmed that PHI for Touchstone’s patients, including some Social Security numbers, was visible online via a Google search even though Touchstone placed the FTP server offline. OCR’s investigation revealed that the name, date of birth, phone number, address, and some Social Security numbers of 307,839 individuals had been accessible to the public because of this security incident. Touchstone did not investigate this security incident until several months after it received notice from OCR and the FBI, which consequently resulted in untimely notices to the affected individuals and the media.
According to OCR, Touchstone failed to perform the following:
- Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to the FTP server;
- Enter into a written business associate agreement (BAA) with its business associate “MedIT Associates,” until June 2, 2016 – over two years after the incident with the FTP server.
- Enter into a written BAA with its business associate “XO Communications;”
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Touchstone’s ePHI;
- Accurately identify and respond to the security incident that gave rise to this settlement; and
- Notify the affected individuals and the media of the breach until nearly 150 days after Touchstone discovered the breach.
This HIPAA settlement is the second wave of activity from HHS-OCR since the announcement that HHS reduced the annual limit amount of civil money penalties for HIPAA violations, effective immediately, described in this DBR on Data post.