Touchstone Medical Imaging to pay $3M Federal Fine Following Cyber Security Breach

Touchstone Medical Imaging, or Touchstone, has eventually agreed to pay a federal fine of $3,000,000 to the Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS), and also agreed to adopt a corrective approach and take action to settle all potential violations of the Health Insurance Portability and Accountability (HIPAA) Security and Breach Notification Rules.

Located in Franklin, Tennessee, Touchstone provides medical diagnostic imaging services in Texas, Nebraska, Colorado, Arkansas, and Florida.

According to a statement given to the U.S. Department of Health and Human Services, this Tennesse-based imaging company permitted uncontrolled access to a particular server containing personal health records and data of more than 300,000 patients, such as names, date of birth, addresses, and social security numbers.

In a prepared statement given to the HHS, it was read, “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

In addition, Touchstone is all set to create and deliberate an action plan including the “adoption of business associate agreements, completion of enterprise-wide risk analysis, and comprehensive policies and procedures to comply with HIPPA rules.”

The Background

Touchstone received a notification from the Federal Bureau of Investigation (FBI) and OCR that one of their FTP servers permitted uncontrolled access to their patients’ health information (PHI). As a result, search engines were allowed to index the personal health information of Touchstone’s patients that was visible online even after the server was taken offline.

While Touchstone claimed that their PHI was not exposed, eventually, they could not hide it. During the OCR investigation, Touchstone admitted that over 3000,000 PHI was exposed, including every small detail of patients.

During the investigation, OCR also found that Touchstone did not investigate its security system thoroughly until several months passed since the notice of the security breach from both OCR and FBI. Consequently, notification sent out by Touchstone to individuals was also affected by the breach and was untimely.

OCR investigation also revealed that Touchstone failed miserably. It could not conduct a thorough and accurate risk analysis of the potential vulnerabilities and risks to integrity, confidentiality, and availability of electronic public health information (ePHI). It also failed to create business associate agreements with vendors, which includes the IT support vendor and third-party data center provider, which were required and specified by HIPAA.

sepStream® is one of the most trusted medical and diagnostic imaging solution providers. Patients coming here receive optimum care, accurate diagnosis, and timely result. As such, it speeds up patient health care and increases the scope of early diagnosis and treatment. We are committed to providing quality health care to patients through new and advanced imaging solutions. We provide the best EMR/PACS/RIS solutions and make it cost-effective for patients. Our technically knowledgeable team provides necessary assistance and efficient care.