On May 6, 2019, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Touchstone Medical Imaging (TMI) agreed to pay $3,000,000 to settle alleged HIPAA violations arising out of an insecure file transfer protocol (FTP) web server that exposed the protected health information (PHI) of more than 300,000 individuals.

According to the OCR’s press release announcing the settlement, TMI is based in Tennessee and provides diagnostic medical imaging services in five states.

In May of 2014, the FBI notified the OCR and TMI that the social security numbers of TMI patients were exposed and available online through TMI’s FTP server.  The OCR initiated an investigation of this security incident and its investigation revealed that the name, date of birth, phone number, address, and, in some instances, social security numbers of almost 308,000 TMI patients were publically accessible.  The server had been configured to allow anonymous FTP connections to a shared directory.

The OCR identified the following additional HIPAA compliance issues:

• TMI failed to enter into business associate agreements (BAAs) with at least two business associates;
• From May 9, 2014 through September 26, 2014, TMI failed to accurately identify and respond to the security incident or to mitigate, to the extent practicable, the harmful effects of the security incident;
• TMI did not notify affected individuals or the media of the breach for 147 days after the date it discovered the breach; and
• Prior to April 3, 2014, TMI failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI it held.

In addition to the $3,000,000 payment, TMI entered into a two-year “robust” corrective action plan (CAP) that requires TMI to:

• Conduct a review of all its vendor relationships to identify business associates and provide HHS with an accounting of those business associates and copies of the applicable BAAs; 
• Perform an enterprise-wide analysis of security risks and vulnerabilities to all electronic PHI held by TMI and a corresponding risk management plan to address and mitigate any identified risks and vulnerabilities; 
• Revise its written policies and procedures to comply with the HIPAA privacy, security and breach notification rules, specifically including revisions to its policies and procedures relating to technical access controls, termination of user accounts, password changes, password strength and safeguarding, and addressing security incidents; 
• Revise its policies and procedures regarding BAAs;
• Distribute the policies and procedures to members of its workforce and provide workforce training; and 
• Prepare annual reports for HHS’ review with respect to its compliance with the CAP.

Security incidents are pervasive across all industry sectors, including health care.  TMI’s issues related to a flawed server configuration and poor oversight and follow-up when TMI was alerted to the problem. HIPAA-covered entities and business associates must ensure that they have incident response and breach notification plans in place to identify and timely address security incidents and breaches