Too Much (Protected Health) Information Exposed + Too Little Response = $3M And Corrective Action Plan For Medical Imaging Company

Elizabeth Litten
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical Imaging, Inc. (TMI), not only used an insecure file transfer protocol (FTP) that allowed visibility to patient information via google searches, but it seemingly dragged its HIPAA compliance feet upon learning of the PHI exposure.

TMI was notified of its insecure FTP on May 9, 2014 and apparently implemented technical safeguards to limit access rights to the FTP server that maintained PHI to approved persons and software programs, but TMI failed to provide notice to individuals and the media of the breach until October 3, 2014, 147 days after discovery of the breach. Adding insult to injury, TMI failed to enter into a business associate agreement with its IT vendor until June 2, 2016, and (as of the date of the Resolution Agreement) “continues” to engage another business associate “without the protections of a business associate agreement in place.”

It is not clear from the Resolution Agreement exactly how the insecurity of the FTP was initially discovered or by whom. The Resolution Agreement states that TMI conducted a HIPAA security risk assessment on April 3, 2014, but the Press Release states that TMI was notified by the FBI and OCR in May of 2014. The Press Release also says that TMI “initially claimed that no patient PHI was exposed,” and that OCR found that TMI did not thoroughly investigate the incident until several months after notice of the breach by both the FBI and OCR.

A more immediate and robust breach response may very well have saved this covered entity millions, let alone negative publicity. The PHI exposure was significant (especially when combined with the delayed and seemingly insufficient security risk assessment), but the combination of TMI (as in too much information) and not enough in terms of response activity is the perfect recipe for a HIPAA settlement.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide