Health IT

Tennessee-based medical imaging company will pay $3M HIPAA settlement

Touchstone Medical Imaging has agreed to pay $3 million to HHS' Office for Civil Rights to settle a breach that exposed more than 300,000 patients' protected health information.

Close Up of Illuminated Glowing Keys on a Black Keyboard Spelling Data Breach 3d illustration

This post has been updated with comment from Touchstone Medical Imaging.

Touchstone Medical Imaging, a diagnostic imaging services company based in Franklin, Tennessee, has agreed to pay $3 million to HHS’ Office for Civil Rights to settle potential HIPAA violations.

presented by

The company has also agreed to adopt a corrective action plan, which includes adopting business associate agreements, completing an enterprise-wide risk analysis and policies and procedures to comply with HIPAA.

According to its website, Touchstone has imaging centers in Arkansas, Colorado, Florida, Montana, Nebraska, Oklahoma and Texas.

In May 2014, the FBI and OCR notified Touchstone that one of its FTP servers allowed uncontrolled access to its patients’ protected health information, according to HHS. Search engines could index the patients’ PHI, which remained visible online even after the server was taken offline.

Touchstone initially said that no patient PHI was exposed, according to HHS.

presented by

After OCR’s investigation, Touchstone admitted that the PHI of more than 300,000 patients was exposed. This included names, birth dates, Social Security numbers and addresses.

The investigation found Touchstone didn’t thoroughly investigate the security incident until several months after the FBI and OCR notified it of the breach. Further, the OCR investigation found Touchstone failed to conduct a thorough risk analysis of potential risks and vulnerabilities to the confidentiality and availability of its electronic PHI. OCR also said Touchstone failed to have business associate agreements in place with its vendors.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR director Roger Severino said in a statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Via email, Touchstone director of corporate compliance Cassie Sellers said:

Touchstone Medical Imaging takes cybersecurity very seriously. The fact that even one of our patient’s demographic information could have been accessed is one too many. Since this event occurred five years ago, we have invested heavily in our cybersecurity program, upgraded our IT systems, and added dedicated IT and privacy staff. We will continue to dedicate whatever resources are necessary to protect the privacy and security of our patients’ information.

This news regarding Touchstone comes after HHS announced it will set maximum annual HIPAA fines based on an organization’s level of culpability.

Photo: Paul Campbell, Getty Images