Medical imaging company resolves potential HIPAA liability for $3 million
On April 5, 2019, Touchstone Medical Imaging, LLC, a Tennessee company that owns and operates diagnostic imaging centers throughout the US, entered into an agreement with the Office for Civil Rights of the United States Department of Health and Human Services (OCR, DHHS) to resolve potential liability under HIPAA, 45 CFR Parts 160, 162 and 164, for an insecure file transfer protocol that allowed public access to the names, dates of birth, and social security numbers of 307,839 patients. The incident occurred in 2014, and was followed by an investigation by OCR, which indicated that Touchstone impermissibly disclosed the patients' protected health information via an insecurely configured server, and that the company failed:
- to implement policies and procedures to allow access only to permitted users;
- to implement proper business associate agreements with service providers;
- to conduct accurate and thorough risk assessments pertinent to confidential information;
- to identify, respond to, or mitigate a known security incident; and
- to notify victims or the media for 147 days after discovering the security breach.
HHS press release | Resolution Agreement and Corrective Action Plan