Diagnostic Imaging Provider Pays $3 Million to Settle Data BreachMay 7, 2019 | Eric D. Fader | Cybersecurity | Electronic Health Records | HIPAA | Litigation
Touchstone Medical Imaging has agreed to pay $3 million to settle HIPAA violations after an unsecured computer server exposed the medical records of 300,000 patients on Google in 2014. The U.S. Department of Health and Human Services (HHS) announced the settlement on May 6. Touchstone, based in Franklin, Tennessee, provides diagnostic imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.
The hefty settlement amount was substantially driven by Touchstone’s inexplicable failure to fully investigate the data breach for several months after having been notified of it by the FBI and the HHS Office for Civil Rights (OCR); however, the company’s additional failings would fill many of the boxes on a bingo card of possible HIPAA violations. Touchstone’s initial claim that no protected health information was exposed suggests that at best, their investigation was inept (at worst, they may have attempted initially to deceive the OCR). According to the OCR, the company also did not implement necessary technical policies and procedures; did not have in place required business associate agreements with vendors; failed to conduct and document an enterprise-wide risk analysis; and failed to notify affected patients and media outlets of the breach in the required timeframes.
Touchstone’s two-year corrective action plan requires the company to correct all of the identified violations and provide regular reports to the OCR on its progress. The settlement, the first to be publicly announced by HHS and the OCR in 2019, confirms that HIPAA enforcement is still alive and well despite HHS’s recent notice of enforcement discretion that reduced some potential HIPAA penalties, as discussed here.