OCR fines Touchstone Medical $3M for tardy breach response
The agency charges the imaging company with failing to secure servers and then claiming that no protected data was exposed.
Touchstone, based in Tennessee, offers its services in the state and across multiple provider organizations in Arkansas, Colorado, Florida, Nebraska and Texas. The HHS Office for Civil Rights enforces the breach notification rules.
In May 2014, the FBI and OCR alerted Touchstone that one of its FTP servers was allowing uncontrolled access to protected health information, permitting search engines to index the protected health information of patients, which remained visible on the Internet even after the server was taken offline.
During the investigation Touchstone admitted the PHI was exposed and included names, dates of birth, Social Security numbers and addresses. However, the organization never thoroughly investigated the breach until several months after being notified of the breach, OCR investigators contend.
“Consequently, Touchstone’s notification to individuals affected by the breach was also untimely,” according to OCR. “The investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic PHI, and failed to have business associate agreements in place with its vendors, including their IT support vendor and third-party data center provider as required by HIPAA.”
OCR has made it clear to the industry that business associate agreements are not optional and that it’s not acceptable to neglect these agreements.
Now, Touchstone’s corrective action plan will focus on adoption of business associate agreements, completion of an enterprise-wide risk analysis, and development of comprehensive policies and procedures to comply with HIPAA.
Additional information and a request for comment was not immediately available.
The resolution agreement and corrective action plan is available here.