Industry News

Tennessee clinic fined $3 million five years after leaking patient data

111006-O-KK908-026 CAMP BASTION, Afghanistan (Oct. 5, 2011) An MRI machine is set up at the Role 3 Medical Facility at Joint Operating Base, Bastion, Afghanistan. (Royal Air Force photo by Sgt. Mitch Moore/Released)

A data leak that occurred five years ago has come back to haunt a Tennessee medical practice in the form of a multi-million dollar fine.

Touchstone Medical Imaging, a provider of diagnostic imaging services in the United States, has been fined $3 million by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) after investigators concluded that the clinic has been negligent handling sensitive health records.

According to the HHS press release, in May 2014, Touchstone was notified by the FBI and OCR that its servers were leaking patient health information (PHI) on the Internet.

“This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline,” according to the report.

Faced with these claims, Touchstone initially denied it was exposing patient health records. But an investigation into the matter later revealed that Touchstone had indeed mishandled more than 300,000 records, exposing names, birth dates, social security numbers and residential addresses on the web.

Touchstone reportedly took “several months” to even begin to investigate the leak, leaving patients vulnerable to fraud, blackmail and other types of risks associated with hackers getting their hands on such data.

“OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA,” the HHS wrote.

In addition to paying the $3 million fine, Touchstone has been instructed to undertake “a robust corrective action plan,” including an enterprise-wide risk analysis. As of this writing, Touchstone’s website was down.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.