$3 Million HIPAA Settlement in Delayed Breach Response CaseTouchstone Medical Imaging Learned of Breach From Two Federal Agencies
Federal regulators have reached a $3 million HIPAA settlement in a case alleging that a medical imaging services provider delayed investigating and mitigating a breach involving patient information leaking onto the internet via a web server - and delayed notification of victims as well.
See Also: HIPAA Audits: A Revised Game Plan
The Department of Health and Human Services' Office for Civil Rights says in a Monday statement that the resolution agreement and corrective action plan for Franklin, Tennessee-based Touchstone Medical Imaging stems from a 2014 breach that affected 307,000 individuals.
Touchstone provides diagnostic medical imaging services in several states, including Nebraska, Texas, Colorado, Florida and Arkansas.
OCR Tipped Off
In the resolution agreement, OCR notes that on May 9, 2014, the agency's headquarters received an email alleging that Social Security numbers of Touchstone patients were exposed online via an insecure file transfer protocol web server.
OCR confirmed on May 12, 2014, that PHI for Touchstone patients, including some Social Security numbers, was visible via a Google search. The agency says it also learned that the FBI notified TMI of the insecure FTP on May 9, 2014.
"On August 19, 2014, OCR sent a letter notifying TMI of its investigation of the breach and TMI's compliance with the [HIPAA] privacy, security, and breach notification rules," the resolution agreement notes.
"OCR's investigation revealed that the name, date of birth, phone number, addresses - and in some instances, Social Security numbers - of 307,839 individuals had been accessible to the public through the insecure FTP server," OCR says in the agreement. "It was determined that the server was configured to allow anonymous FTP connections to a shared directory."
"My initial reaction is that this incident is the poster child for 'willful neglect.'"
—David Holtzman, CynergisTek
In its statement, OCR notes that the uncontrolled access permitted search engines to index the PHI of Touchstone's patients, which remained visible on the internet even after the server was taken offline.
"Touchstone initially claimed that no patient PHI was exposed," OCR says. "However, during OCR's investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed.
"OCR's investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. "Consequently, Touchstone's notification to individuals affected by the breach was also untimely."
OCR's HIPAA Breach Reporting Tool website notes that the incident was reported to OCR on Oct. 3, 2014, as an unauthorized access/disclosure breach involving a network server.
The resolution agreement notes that Touchstone did not notify affected individuals or the news media until 147 days after it discovered the breach. Under HIPAA, breaches affecting 500 or more individuals must be reported within 60 days.
"My initial reaction is that this incident is the poster child for 'willful neglect'," says privacy attorney David Holtzman of security consultancy CynergisTek. "OCR alleges that Touchstone failed to take adequate steps to prevent further harm from the incident for over four months after becoming aware of the their patient's PHI was vulnerable to disclosure through their unsecured FTP site."
OCR also alleged that Touchstone continued to allow a vendor to have access to PHI without having the required business associate agreement in place, he adds.
It's not unusual for OCR to open an investigation, specifically a compliance review, based on an event brought to its attention by a source other than a breach report from the entity itself - including reports from individuals, other entities, state and federal agencies, and news media, says privacy attorney Iliana Peters of the law firm Polsinelli.
"To the extent OCR believes a report is credible and serious, it will follow up with the HIPAA-regulated entity as well," says Peters, a former OCR official. "It's always important for HIPAA covered entities and business associates to implement their response and reporting plans, as required by the HIPAA Security Rule, however they hear of an incident - whether from someone within their own organization or from an outside entity, like a state or federal regulator."
The Touchstone incident spotlights the importance of addressing breaches swiftly once they are discovered, especially if the organization learns about the incident through notification by government regulators or a law enforcement agency.
"If a covered entity or business associate is notified of a breach by not one, but two, government agencies, the organization should respond rapidly and make mitigation and recovery a top business priority," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
The OCR investigation also indicated that Touchstone did not address the mitigation in a timely manner, she notes. "If the server was offline, but HHS reported the data was still visible, that suggests there were additional copies of the data that continued to be exposed. In other words, the mitigation process was incomplete," Borten says.
OCR says its breach investigation found that Touchstone failed to conduct an accurate and thorough security risk analysis and failed to have business associate agreements in place with its vendors, including an IT support vendor and a third-party data center provider, the agency notes.
"Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem," says OCR Director Roger Severino. "Neglecting to have a comprehensive, enterprisewide risk analysis, as illustrated by this case, is a recipe for failure."
Touchstone did not immediately respond to an Information Security Media Group request for comment on the settlement.
Corrective Action Plan
In addition to the monetary settlement, OCR notes that Touchstone will undertake "a robust corrective action plan." That includes:
- Adoption of business associate agreements;
- Completion of an enterprisewide risk analysis;
- Review and revision of written policies and procedures to comply with the HIPAA privacy, security and breach notification rules.
The settlement with Touchstone is the first announced since OCR on April 26 revealed that it is lowering the maximum annual caps on civil monetary penalties for less egregious HIPAA violations (see: HHS Lowers Some HIPAA Fines).
HHS will keep its revised interpretation of the HITECH Act penalty caps in mind "for all enforcement operations," Severino told members of the news media on April 26. That includes cases involving civil monetary penalties as well as when OCR negotiates HIPAA settlements that include corrective actions "and monies in lieu of civil monetary penalties," he says.
Peters says it is notable that the Touchstone settlement comes less than two weeks after OCR's announcement that it will consider lower financial caps for certain HIPAA settlement and civil money penalty cases. "In other words, despite OCR's use of enforcement discretion on settlement amounts and civil money penalties, we will likely still see cases settled for significant amounts of money," she notes.
The settlement with Touchstone is OCR's second HIPAA enforcement action announced this year.
In February, OCR announced a $3 million settlement with California-based healthcare provider Cottage Health in the wake of the agency's investigation into two breaches that occurred in 2013 and 2015, affecting a total of 62,500 individuals.
While the settlement with Cottage Health was announced in February, OCR says its agreement with the entity was reached in December of 2018.
In 2018, OCR settled 10 cases and was granted summary judgment in a case before a HHS administrative law judge, with penalties totaling $28.7 million. That includes a record $16 million settlement with health plan Anthem Inc. related to a 2014 cyberattack that impacted the data of nearly 79 million individuals.
The root cause of the Touchstone breach was that the organization did not properly secure its servers, resulting in exposing patient data to the internet, Holtzman says.
"This represents a fundamental failure to practice minimum information security practices. We have seen these incidents over and over again with organizations that use cloud-based computing technology, vendors and healthcare billing services."
Other data breaches involving misconfigured servers have also resulted in enforcement actions by some state agencies.
For instance, New Jersey's attorney general's office last year smacked Virtua Medical Group with a $418,000 settlement for a 2016 breach involving a server misconfiguration that publicly exposed PHI of 1,654 patients.
That office also signed a $200,000 settlement with Virtua's business associate, Best Medical Transcription, for the same incident. In addition, as part of that agreement, Best Medical Transcription's owner has been banned from managing or owning a business in the state (see: Breach Settlement Has Unusual Penalty).