A Tennessee-based medical imaging firm has agreed to pay $3 million in fines after seemingly doing just about everything wrong after experiencing a patient data breach. As leaders will know, HIPAA fines are rarely that large, but apparently OCR decided to make an example of the errant company.
The HHS Office for Civil Rights imposed the tough fine on Touchstone Medical Imaging, which provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida and Arkansas, after years of investigating a substantial data breach.
According to an HHS press release, the FBI and OCR notified Touchstone that its data had been reached in May 2014. The agencies told Touchstone that one of the FTP servers was giving outsiders uncontrolled access to patients’ protected health information, which in turn allowed search engines to index that PHI. Adding insult to injury, the index was visible on the net even after the FTP server was taken down, the OCR says.
According to the agency, Touchstone first claimed that no patient PHI was exposed by the problem FTP server. However, during its investigation, OCR concluded that the PHI of more than 300,000 patients was exposed, including names, birth dates, Social Security numbers and addresses. Such defensiveness can’t have played well with the investigators.
On top of that, investigators found that Touchstone waited several months to investigate the security incident after being informed about it by the OCR and FBI, which meant, of course, that the patients involved were informed at a relatively late date as well.
What’s more, the OCR concluded that Touchstone had failed to conduct an accurate and thorough risk analysis assessing the likelihood that the confidentiality, integrity and availability of the ePHI was protected. It also failed to have business associate agreements in place with key vendors as required by HIPAA, including its IT support vendor and a third-party data center provider.
It’s not that HHS is coming down particularly hard on Touchstone’s apparent busload of HIPAA violations. However, its new rules do state that four factors deserve a large fine: whether or not the entity knew that HIPAA was being violated, whether there was reasonable cause for the breach, whether willful neglect was involved in whether or not it was corrected in a timely fashion.
By this yardstick, if things went down the way OCR described, it was entirely predictable that this case would involve a large fine. For everyone’s sake, let’s hope the agency isn’t forced to impose such a large fine again this year. Regardless, this case reminds us that if OCR knocks on your door, pretending you don’t know the cookie jar is broken probably isn’t a winning strategy.