March 31, 2020

March 31, 2020

Subscribe to Latest Legal News and Analysis

March 30, 2020

Subscribe to Latest Legal News and Analysis

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

$3 Million Settlement for Exposure of and Latent Response to Exposure of 300,000 Patients’ Protected Health Information

Touchstone Medical Imaging (Touchstone) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a no-fault settlement and two-year corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Touchstone provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas. According to the HHS-OCR press release and settlement agreement, OCR and the Federal Bureau of Investigation (FBI) notified Touchstone in early May 2014 that its File Transfer Protocol (FTP) servers allowed uncontrolled access to its patients’ protected health information (PHI). By mid-May 2014, OCR confirmed that PHI for Touchstone’s patients, including some Social Security numbers, was visible online via a Google search even though Touchstone placed the FTP server offline. OCR’s investigation revealed that the name, date of birth, phone number, address, and some Social Security numbers of 307,839 individuals had been accessible to the public because of this security incident. Touchstone did not investigate this security incident until several months after it received notice from OCR and the FBI, which consequently resulted in untimely notices to the affected individuals and the media.

According to OCR, Touchstone failed to perform the following:

  • Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to the FTP server;
  • Enter into a written business associate agreement (BAA) with its business associate “MedIT Associates,” until June 2, 2016 – over two years after the incident with the FTP server.
  • Enter into a written BAA with its business associate “XO Communications;”
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Touchstone’s ePHI;
  • Accurately identify and respond to the security incident that gave rise to this settlement; and
  • Notify the affected individuals and the media of the breach until nearly 150 days after Touchstone discovered the breach.

This HIPAA settlement is the second wave of activity from HHS-OCR since the announcement that HHS reduced the annual limit amount of civil money penalties for HIPAA violations, effective immediately.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...