Medical Imaging Company Pays $3 Million to Resolve Potential HIPAA Violations Stemming from Breach

May 13, 2019


A Tennessee diagnostic medical imaging services company has agreed to pay $3 million to settle potential HIPAA violations arising from a data breach that exposed the PHI of over 300,000 patients. As part of the settlement, the company — Touchstone Medical Imaging — must also adopt a corrective action plan to address problems uncovered during OCR’s investigation, according to an article from Data Privacy & Security Insider.


In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its servers allowed uncontrolled access to its patients’ information. This permitted search engines (such as Google) to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the insecurely configured server was taken offline. Although Touchstone initially claimed that no patient PHI was exposed, it subsequently admitted that the PHI of more than 300,000 patients was exposed, including names, birth dates, addresses, phone numbers, and some social security numbers.


During its investigation, OCR determined that Touchstone did not thoroughly investigate the security incident until several months after being notified of the breach, so that the company’s notification to affected individuals and the media was also untimely. OCR also found that Touchstone had failed to conduct an accurate and complete risk analysis of potential risks and vulnerabilities to its electronic PHI, and did not have HIPAA-required business associate agreements with its vendors.


This incident serves as a reminder to health care companies that they need to be proactive in assessing the security of systems (electronic and otherwise) where PHI is stored and fix any problems identified. Companies also should ensure that HIPAA-compliant business associate agreements are in place, promptly investigate any potential data breaches, and be aware of their breach notification obligations.


Call HIPAAcraticRx today for a complete Security Risk Analysis (SRA). of your business or practice.



Share on Facebook
Share on Twitter
Please reload

Featured Posts

How to Handle Breach Notifications

February 26, 2020

Please reload

Recent Posts
Please reload

Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

HIPAAcraticRx - The Prescription for HIPAA Compliance


20 Hempstead Turnpike, Farmingdale, New York 11735 . (516) 200-6610 .

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon

© 2019 HIPAAcratic Rx -