Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.

In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server.  HHS confirmed that this information was accessible via a simple Google search.

Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals.  Touchstone failed to investigate the issue until several months later.

HHS found that:

1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.

2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.

3) Touchstone failed to have a written business associate agreement with a business associate.

4) Touchstone continue to engage another business associate without having a business associate agreement in place.

5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.

6) Touchstone waited well over four months to respond to the incident.

7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.

8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.

To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.

You can read the HHS Press Release and the Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html