Touchstone Medical Imaging has agreed to pay $3 million to HHS' Office for Civil Rights to settle potential HIPAA violations associated with a data breach that exposed more than 300,000 patients' protected health information.
The Franklin, Tenn.-based diagnostic medical imaging services company will also adopt a corrective action plan as part of the settlement, HHS announced Monday morning.
The settlement stems from a privacy incident in May 2014 when the Office for Civil Rights and the FBI notified Touchstone that one of its servers allowed "uncontrolled access" to patients' information. Search engines were able to index Touchstone patients' protected information, and that data was visible online.
Touchstone initially claimed that no information had been exposed, according to HHS.
However, during the Office for Civil Rights' investigation, the company later said that more than 300,000 patients' protected health information was exposed, including their names, dates of birth, Social Security numbers and addresses.
The investigation determined that Touchstone did not thoroughly investigate the data breach until several months after the FBI and Office for Civil Rights' notification.
"Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem," Office for Civil Rights Director Roger Severino said in a statement.
During its investigation, the Office for Civil Rights also found that the company did not conduct an accurate analysis of potential risks related to confidentiality of its electronic protected health information and did not have business associate agreements in place with its vendors, including its IT support vendor and a third-party data center provider.
Cassie Sellers, Touchstone's director of corporate compliance, said that the company has upgraded its IT systems and added dedicated IT and privacy staff since the 2014 breach.
"Touchstone Medical Imaging takes cybersecurity very seriously. The fact that even one of our patient's demographic information could have been accessed is one too many," she said. "We will continue to dedicate whatever resources are necessary to protect the privacy and security of our patients' information."
The settlement comes just over a week after HHS redesigned how it would penalize providers, health plans and their business associates in the wake of HIPAA violations.
The new system sets annual limits for fines based on the organization's "level of culpability," meaning that organizations that have taken measures to meet HIPAA's requirements will face much smaller maximum penalties than those who are found neglectful.