On April 5, 2019, Touchstone Medical Imaging, LLC, a Tennessee company that owns and operates diagnostic imaging centers throughout the US, entered into an agreement with the Office for Civil Rights of the United States Department of Health and Human Services (OCR, DHHS) to resolve potential liability under HIPAA, 45 CFR Parts 160, 162 and 164, for an insecure file transfer protocol that allowed public access to the names, dates of birth, and social security numbers of 307,839 patients. The incident occurred in 2014, and was followed by an investigation by OCR, which indicated that Touchstone impermissibly disclosed the patients’ protected health information via an insecurely configured server, and that the company failed:
- to implement policies and procedures to allow access only to permitted users;
- to implement proper business associate agreements with service providers;
- to conduct accurate and thorough risk assessments pertinent to confidential information;
- to identify, respond to, or mitigate a known security incident; and
- to notify victims or the media for 147 days after discovering the security breach.
Without admitting liability, Touchstone agreed to pay HHS $3 million, and to comply with a Corrective Action Plan, including risk analyses, a risk management plan, a review of business associate relationships and adequate agreements with them, revision of the company’s policies and procedures to comply with the Privacy, Security and Breach Notification rules pursuant to 45 CFR Part 160 and Subparts A, C and E of Part 164, and training the company’s employees.