Touchstone Medical Imaging has agreed to pay $3 million to the Office for Civil Rights at HHS to settle allegations that the medical imaging provider violated HIPAA.
In May 2014, Touchstone was alerted by the FBI and OCR that one of its servers allowed uncontrolled access to patients' health information. Patients' data was searchable online even after Touchstone took the server offline.
The diagnostic medical imaging provider claimed no personal health information was exposed. However, when the OCR began its investigation, Touchstone then admitted that more than 300,000 patients were affected the security incident.
Patients' names, birth dates, Social Security numbers and addresses were exposed in the data breach. The OCR investigation also found that Touchstone did not adequately investigate the security incident until several months after being notified by the FBI. Touchstone also allegedly did not notify affected patients in a timely manner.
Touchstone also failed to conduct an accurate analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic personal health information, the OCR investigation concluded.
Along with paying the $3 million fine, Touchstone has agreed to adopt a corrective action plan, including implementing business associate agreements, completing an enterprise-wide risk analysis and developing policies and procedures that comply with HIPAA.
More articles on cybersecurity:
The 'CEO scam': How hospitals are training staff to recognize phishing attempts
Data breach at healthcare billing provider affects unknown number of Michigan patients
14,000 patient files stolen from Mississippi physician practice