A data leak that occurred five years ago has come back to haunt a Tennessee medical practice in the form of a multi-million dollar fine.
Touchstone Medical Imaging, a provider of diagnostic imaging services in the United States, has been fined $3 million by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) after investigators concluded that the clinic has been negligent handling sensitive health records.
According to the HHS press release, in May 2014, Touchstone was notified by the FBI and OCR that its servers were leaking patient health information (PHI) on the Internet.
“This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline,” according to the report.
Faced with these claims, Touchstone initially denied it was exposing patient health records. But an investigation into the matter later revealed that Touchstone had indeed mishandled more than 300,000 records, exposing names, birth dates, social security numbers and residential addresses on the web.
Touchstone reportedly took “several months” to even begin to investigate the leak, leaving patients vulnerable to fraud, blackmail and other types of risks associated with hackers getting their hands on such data.
“OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA,” the HHS wrote.
In addition to paying the $3 million fine, Touchstone has been instructed to undertake “a robust corrective action plan,” including an enterprise-wide risk analysis. As of this writing, Touchstone’s website was down.