Touchstone Medical Imaging is set to pay $3 million to settle potential HIPAA violations that exposed the protected health information (PHI) of more than 300,000 people.
PHI held by the regional provider of diagnostic medical imaging services was accessible to search engines, resulting in names, birth dates, social security numbers and addresses being visible on the internet.
HHS found Touchstone failed to properly investigate the security incident until months after it learned of the breach.
The FBI told Touchstone that an insecure file transfer protocol web server made PHI visible via a Google search in May 2014. The HHS Office for Civil Rights (OCR) began an investigation around the same time and contacted Tennessee-based Touchstone about the probe in August 2014.
OCR's investigation revealed Touchstone "failed to implement technical policies and procedures" to restrict access to its server and "failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI." The probe also found Touchstone worked with third parties without signing business associate agreements.
Touchstone has not admitted liability, but OCR said these failures led to the release of PHI for more than 300,000 patients. OCR has also accused Touchstone of failing to respond to the security incident and of taking 147 days to inform the affected patients about the data breach.
Touchstone also must analyze its security risks and vulnerabilities. HHS expects Touchstone to share the scope and methodology of its risk analysis within 30 days, and provide it with the results within 120 days of getting the green light to start the assessment. Beyond that, Touchstone will need to create a plan to address risks identified by the analysis and review its operation annually.
News of the settlement comes 16 months after the first HIPAA enforcement action relating to the late reporting of a data breach. In that action, Presence Health agreed to pay $475,000 for taking more than 100 days to tell patients, the media and HHS about a breach affecting more than 500 people.