HHS Resolution Agreement: Touchstone Medical Imaging, LLC (Apr. 5, 2019); HHS News Release (May 6, 2019)
HHS’s Office for Civil Rights (OCR) has announced a $3 million settlement with a diagnostic medical imaging service to resolve potential violations of HIPAA’s privacy, security and breach notification rules, after an investigation revealed that unsecured protected health information (PHI) of more than 300,000 individuals was accessible to the public due to an insecure file transfer protocol (FTP) server. OCR’s investigation began after it received notice of the insecure FTP server from the FBI and confirmed that patients’ PHI, including some Social Security numbers, was visible via a Google search. The imaging service initially claimed that no patient PHI was exposed, but OCR concluded that the imaging service did not thoroughly investigate the security incident until several months after it received notices from the FBI and OCR. OCR’s own investigation determined that the server was configured to allow anonymous FTP connections to a shared directory. OCR concluded that the imaging service failed to (1) provide timely breach notification to affected individuals and the media; (2) conduct an accurate and thorough risk analysis; (3) restrict access to the FTP server only to authorized persons; (4) adequately respond to a known security incident or mitigate its harmful effects; or (5) have business associate contracts in place with its vendors, including its IT support vendor and third-party data center provider.
In addition to the settlement payment, the imaging service agreed to a corrective action plan (CAP). The CAP requires the imaging service to conduct an enterprise-wide risk analysis and adopt a corresponding risk management plan, each subject to OCR review and approval. The imaging service must also revise—subject to OCR approval—its policies and procedures to address access controls for network and server equipment, minimum-necessary access, access and activity logs, termination of user accounts, password management, and security incidents. Policies and procedures for business associate contracts must also be revamped. The approved policies and procedures must be incorporated into proposed training materials that, following OCR approval, must be included in training sessions for all workforce members. New workforce members must be trained within 14 days after they start work.
EBIA Comment: The imaging service may have made a significant misstep when it prematurely concluded that no patient PHI was exposed despite the alert from the FBI. Its later admission that PHI of more than 300,000 patients was exposed set the stage for this significant settlement and comprehensive CAP. Regardless of the circumstances, alerts from law enforcement agencies should trigger breach response plans, including robust investigations, efforts to contain and mitigate damage, and clear communications with potentially affected individuals. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXV.H (“Guide to Planning for Breach Notification”), XXX.B (“Administrative Safeguards”), and XXX.D (“Technical Safeguards”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.