Skip to main content
close search
site logo
Dive Brief

Touchstone Medical Imaging pays $3M to settle HIPAA breach case

Published May 7, 2019
By
Contributor
Kendall Davis for CIO Dive

Dive Brief:

  • Touchstone Medical Imaging is set to pay $3 million to settle potential HIPAA violations that exposed the protected health information (PHI) of more than 300,000 people.

  • PHI held by the regional provider of diagnostic medical imaging services was accessible to search engines, resulting in names, birth dates, social security numbers and addresses being visible on the internet.

  • HHS found Touchstone failed to properly investigate the security incident until months after it learned of the breach.

Dive Insight:

The FBI told Touchstone that an insecure file transfer protocol web server made PHI visible via a Google search in May 2014. The HHS Office for Civil Rights (OCR) began an investigation around the same time and contacted Tennessee-based Touchstone about the probe in August 2014.

OCR's investigation revealed Touchstone "failed to implement technical policies and procedures" to restrict access to its server and "failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI." The probe also found Touchstone worked with third parties without signing business associate agreements.

Touchstone has not admitted liability, but OCR said these failures led to the release of PHI for more than 300,000 patients. OCR has also accused Touchstone of failing to respond to the security incident and of taking 147 days to inform the affected patients about the data breach.

Touchstone also must analyze its security risks and vulnerabilities. HHS expects Touchstone to share the scope and methodology of its risk analysis within 30 days, and provide it with the results within 120 days of getting the green light to start the assessment. Beyond that, Touchstone will need to create a plan to address risks identified by the analysis and review its operation annually.

News of the settlement comes 16 months after the first HIPAA enforcement action relating to the late reporting of a data breach. In that action, Presence Health agreed to pay $475,000 for taking more than 100 days to tell patients, the media and HHS about a breach affecting more than 500 people.

Recommended Reading

Filed Under: FDA, Cybersecurity

Editors' picks

  • layoffs
    Image attribution tooltip
    Stock via Getty Images
    Image attribution tooltip

    Roundup: Top medtech companies cut jobs in 2023

    Johnson & Johnson, Medtronic and Abbott were among the top companies to announce layoffs this year as the industry implemented cost-cutting measures.

    By Ricky Zipp • Nov. 27, 2023
  • Signs for Johnson & Johnson are seen on company offices in California.
    Image attribution tooltip
    Mario Tama via Getty Images
    Image attribution tooltip

    5 takeaways from J&J’s investor day

    The company outlined its long-term growth expectations and confirmed that it has no plans to separate its medtech and pharma segments.

    By Elise Reuter • Dec. 6, 2023

Company Announcements

View all | Post a press release
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Editors' picks
Latest in FDA
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell