The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services revealed on May 6, 2019 that Tennessee-based Touchstone Medical Imaging (TMI) entered into a Resolution Agreement (RA) requiring them to pay a $3 million fine to settle a data breach that exposed over 300,000 patients’ protected health information (PHI). In addition to the significant monetary fine, TMI must adopt a corrective action plan that will address shortfalls in the company’s compliance with HIPAA Security and Breach Notification Rules, which is a typical condition found in RAs following a breach of PHI.
Touchstone was first notified of the breach by the FBI and OCR. According to the OCR press release, one of the company’s computer servers permitted unauthorized access to PHI, allowing internet search engines to index PHI, which persisted in being available to the public even after the server was taken offline.
According to one report, the records made public included “billing information of patients including Social Security numbers, names, addresses, date of birth, and phone numbers.” TMI initially took the position that no PHI was exposed, but during a subsequent investigation, it was discovered that PHI for more than 300,000 patients was exposed. OCR alleged that TMI “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.” By failing to investigate the breach sooner, OCR claimed that patients affected by the breach were not notified in a timely manner.
OCR’s investigation concluded that TMI did not fully analyze the risks to the PHI in its possession and did not have business associate agreements in place with its vendors. This is a fundamental HIPAA failure. As a result, TMI was given 60 days after the effective date of the RA to provide OCR with a list of business associates and the agreements in place with them.
In OCR’s press release concerning the TMI settlement, Director Roger Severino is quoted as saying, “[c]overed entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
The TMI settlement is just the latest in OCR’s enforcement efforts, including the $3 million settlement with Cottage Health that topped off the $28.7 million in enforcement settlements for 2018.