Touchstone Medical Imaging to pay $3M federal fine following cybersecurity breach

Touchstone Medical Imaging has agreed to pay a $3 million fine to the Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability (HIPAA) rule violations stemming from a large breach exposing patient’s health information.

According to the U.S. Department of Health and Human Services (HHS), the Tennessee-based imaging company allowed uncontrolled access to a server containing the personal health information of more than 300,000 patients, including names, birth dates, social security numbers and addresses.

Touchstone initially claimed that no patient data was exposed as a result of the hack, but an OCR investigation into the matter found the company did not properly investigate the event until months after the FBI and OCR notified the imaging company of the attack. Touchstone has since admitted to the security breach.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino, in a prepared statement from HHS. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Additionally, Touchstone will create an action plan that includes the “adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with HIPPA rules,” according to the same statement.