Imaging service fails to respond to HIPAA Breach, exposing private health information, angering the feds and leading to massive fine
A Tennessee medical imaging service was slow to respond to the Federal Bureau of Investigation (FBI) warning that its protected patient data had been compromised.
In May of 2015, the FBI informed Touchstone Medical Imaging of Franklin, Tennessee that one of its computer file servers was allowing uncontrolled access to electronic protected health information (ePHI).
Private Health Information Made Searchable On Google
Touchstone’s misconfigured file server was allowing search engines such as Google to index patient information, making private medical details viewable to anyone with a smartphone or computer.
When it finally got around to investigating itself, management at Touchstone Medical Imaging said no patient data had been made visible.
The Feds disagreed and the Office for Civil Rights (OCR) conducted its own investigation, demonstrating that more than 300,000 patient’s data was accessible on Google.
Private Health Information Breach Investigation Leads To More Violations
As in most cases, the breach of Touchstone’s ePHI led to more violations when investigators discovered the company had failed to have mandatory Business Associate Agreements in place with several of its vendors including its Information Technology contractor and its third-party data center.
Business Associate Agreements are legally binding contracts detailing how Private Health Information will be managed by those who serve HIPAA covered entities such as doctors and hospitals.
Cases such as this are becoming common. In fact, if you look back in the archives of our HIPAA Horror Stories, you’ll see another case leading to almost exactly the same violations and penalties.
Private Health Information Breach is Costly
When the feds finally got finished with Touchstone in May of this year, the firm was $3 million poorer. The OCR also forced the imaging service into a lengthy and expensive Corrective Action Plan.
What You Can Do To Avoid A Costly Private Health Information Breach.
Data breaches are serious. The FBI is not shy about getting involved in protecting patient health data. The OCR issued record fines in 2018 and 2019 is shaping up to be just as devastating to HIPAA covered entities, business associates and health plans that take a lax attitude toward compliance.
Do you have a compliance plan in place right now? How would you feel if the FBI came knocking? If these questions give you a headache, we’ve got the cure. Contact The HIPAA E-Tool® today.