Touchstone Medical Imaging, a Franklin, Tennessee-based provider of medical imaging services, has agreed to settle a HIPAA violation case with the HHS’ Office for Civil Rights to resolve violations of multiple HIPAA provisions. The settle agreement involves a financial penalty of $3 million and the adoption of a corrective action plan to remedy vulnerabilities discovered by OCR while investigating a 2014 data breach.

The breach in question involved a misconfigured FTP server. Touchstone Medical Imaging was alerted to the issue by the FBI on May 9, 2014. The FTP server had been configured to allow anonymous connections to a shared directory on the server that contained files which included patients’ names, addresses, dates of birth and Social Security numbers.

In total, the protected health information of 307,839 individuals was exposed as a result of the error. The directory had also been indexed by search engines and the files could be found by anyone performing an Internet search. Those files could be accessed without the need for any authentication. In addition to notifying Touchstone Medical Imaging about the breach, the FBI also alerted OCR.

OCR notified Touchstone Medical Imaging on August 19, 2014 that it would be subjected to an investigation to assess compliance with the HIPAA Privacy, Security, And Breach Notification Rules.

The investigation uncovered widespread HIPAA compliance issues. In the resolution agreement, OCR cites 10 violations of HIPAA provisions spread across 8 HIPAA violation counts.

Initially, Touchstone Medical Imaging maintained that no breach of PHI had occurred, although OCR was later informed that there had been a breach of PHI. OCR determined during its investigation that the breach was due to the lack of technical policies and procedures to prevent improper PHI access. PHI was accessible until May 9, 2014 when Touchstone Medical Imaging was informed about the insecure server by the FBI. The lack of security controls was in violation of 45 C.F.R. § 164.312(a)(1).

As a direct result, there was a breach of 45 C.F.R. § 164.502(a) – An impermissible disclosure of the PHI of 307,839 individuals. Touchstone Medical Imaging also failed to investigate the security incident until September 26, 2014, in violation of 45 C.F.R. §164.308(a)(6)(ii). OCR also determined there had been a risk analysis failure, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A). A risk analysis had only been completed on April 3, 2014.

The delayed investigation contributed to a delay in notifying patients and the media about the breach. Both sets of notifications occurred 147 days after the discovery of the breach, which violated 45 C.F.R. § 164.404 and 45 C.F.R. § 164.406.

Further compliance failures were discovered relating to business associate agreements. Touchstone Medical Imaging was working with an IT support company that had access to systems containing ePHI, yet no BAA was in place, as required by 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b). A BAA was finally obtained on June 2, 2016. There was also no BAA with a third-party data center provider, XO Communications, and that the business relationship continued despite no BAA being in place in violation of 45 C.F.R. § 164.308(b).

When OCR discovers widespread non-compliance with HIPAA Rules, financial penalties are likely. When HIPAA failures are not corrected within a reasonable time frame, financial penalties are likely to be severe. The sizable penalty reflects the extent of the violations, their duration, and continued noncompliance.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” explained OCR Director Roger Severino. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Touchstone Medical Imaging agreed to settle the case with OCR with no admission of liability.