Diagnostic Medical Imaging Company Pays $3 Million to Resolve Potential HIPAA Violations Stemming from Data Breach

Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The Office of Civil Rights (OCR), the enforcement arm of the Department of Health & Human Services (HHS), announced that a Tennessee diagnostic medical imaging services company has agreed to pay $3 million to settle potential HIPAA violations arising from a data breach that exposed over 300,000 patients’ protected health information. As part of the settlement, the company—Touchstone Medical Imaging (Touchstone)—must also adopt a corrective action plan to address problems uncovered during OCR’s investigation.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its servers allowed uncontrolled access to its patients’ protected health information (PHI). This permitted search engines (such as Google) to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the insecurely configured server was taken offline. Although Touchstone initially claimed that no patient PHI was exposed, it subsequently admitted during OCR’s investigation that the PHI of more than 300,000 patients was exposed, including names, birth dates, addresses, phone numbers, and some social security numbers.

During its investigation, OCR determined that Touchstone did not thoroughly investigate the security incident until several months after being notified of the breach, so that the company’s notification to affected individuals and the media was also untimely. OCR also found that Touchstone had failed to conduct an accurate and complete risk analysis of potential risks and vulnerabilities to its electronic PHI, and did not have HIPAA-required business associate agreements with its vendors.

The Resolution Agreement states that it is neither an admission of liability by Touchstone, nor a concession by HHS that Touchstone is not in violation of the HIPAA rules. Nevertheless, it serves as a reminder to health care companies—which are a frequent target of hackers—that they need to be proactive in assessing the security of systems (electronic and otherwise) where PHI is stored and fix any problems identified. Companies also should ensure that HIPAA-compliant business associate agreements are in place, promptly investigate any potential data breaches, and be aware of their breach notification obligations.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide