A medical imaging company is paying for its flawed data security system. In addition to its system failures, the company failed to investigate and respond properly when alerted to problems by the FBI. As a result, the Office of Civil Rights imposed a $3 million penalty and required a corrective action plan. This yet another warning to the health care industry that data security matters.

Office of Civil Rights Enforcement

The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services investigates and enforces violations of HIPAA, the Health Insurance Portability and Accountability Act. In this case, OCR investigated a medical imaging company that allowed privacy information about more than 300,000 patients to be visible on the internet.

Compounding The Failure

OCR reported that an “insecure transfer protocol (FTP) web server” permitted internet searches to access social security numbers and other patient data. Because the company had not conducted a risk assessment, it did not identify the problem. In fact, it did not even have required Business Associate Agreements in place with its vendors. Compounding all this, the company declined to “identify and respond” for more than four months after the FBI notified the company of the failure.