On May 6, 2019, the U.S. Department of Health and Human Services (“HHS”) announced a $3 million settlement with Touchstone Medical Imaging (“Touchstone”) for potential violations under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to a data breach that exposed over 300,000 patients’ protected health information (“PHI”). HIPAA requires covered entities (e.g., health plans, health care providers, and health care clearinghouses) to implement policies and practices to communicate uses and protections related to PHI.
In May 2014, Touchstone was notified by the Office for Civil Rights (“OCR”) and the FBI that one of its servers allowed “uncontrolled access” to patients’ information, making data visible on the Internet. Due to this uncontrolled access, search engines were able to index the PHI of over 300,000 patients, including names, dates of birth, and Social Security numbers. The investigation furthered revealed that Touchstone did not timely investigate the incident or notify individuals affected by the breach until several months after the notice by the OCR and FBI.
According to the OCR, Touchstone failed to conduct “an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider, as required by HIPAA.” In other words, this breach was preventable had a thorough security risk analysis been conducted. Click here to learn more about requirements for health IT data management, including a downloadable Security Risk Assessment Tool approved by the OCR.
As part of the settlement, Touchstone agrees to implement a corrective action plan including adoption of business associate agreements, conducting an enterprise-wide risk analysis, and implementation of policies and procedures to comply with HIPAA. For more information on HIPAA compliance, please review Compliancedashboard’s HIPAA Privacy and Security activities.
The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.