HHS Announces $3M Settlement Relating to Violations of HIPAA’s Privacy, Security, and Breach Notification Rules

On May 6, 2019, HHS’s Office of Civil Rights (OCR) announced a $3 million settlement with Touchstone Medical Imaging, a diagnostic medical imaging services company, relating to violations of HIPAA’s privacy, security and breach notification requirements. According to an HHS press release, in May 2014, the FBI and OCR notified Touchstone that one of its servers allowed uncontrolled access to its patients’ protected health information (PHI). Both the FBI and OCR confirmed that PHI from many patients, including some Social Security numbers, was visible through a basic Google search even after the server was taken offline. Touchstone initially claimed that it had not breached or exposed any patient’s PHI. However, after an investigation, OCR concluded (and Touchstone subsequently admitted) that the PHI of more than 300,000 patients was exposed. Some of the exposed information included names, birth dates, social security numbers, and addresses.

OCR’s investigation also found that Touchstone had not thoroughly investigated the security incident until several months after the FBI and OCR notified Touchstone of the security incident (availability of the information on the internet). As a result, Touchstone’s notification to affected individuals regarding the breach was considered untimely. OCR further concluded that Touchstone failed to conduct an accurate and thorough risk analysis of potential risk and vulnerabilities relating to the availability and confidentiality of its electronic PHI and failed to have business associate agreements in place with its vendors, as required by HIPAA.

The settlement serves as a reminder to covered entities, particularly employers with self-insured plans, regarding HIPAA privacy, security, and breach requirements. This case resulted in a significant penalty for several reasons, including the number of affected individuals, the failure to conduct a risk analysis and to implement business associate agreements, the failure to respond to two federal law enforcement agencies, and the failure to timely notify impacted individuals regarding the breach. Employers should review their HIPAA obligations with their advisers and outside counsel in developing a comprehensive strategy for adhering to the privacy, security, and breach notification requirements.

HHS Press Release »

HHS Resolution Agreement »