Touchstone Medical Imaging to pay $3 million settlement for security breach
advertisement
Current Location:
>
> This Story


Log in or Register to rate this News Story
Forward Printable StoryPrint Comment
advertisement

 

advertisement

 

U.S. Healthcare Homepage

Preparing for the coming increase in stroke and physical therapy patients As baby boomers enter their 60s patient volume will increase

ONC takes aim at data sharing and interoperability The 21st Century Cures Act is about more than just medical research

Half of US hospital leaders surveyed are unfamiliar with premise of AI Less than a quarter are currently seeking to implement it

Law to reduce unneeded Medicare CT, MR exams delayed by Trump administration Overuse penalties stalled until 2022 or 2023: Kaiser Health News

RSNA and ACR to establish clinical data registry for 3D printing Demonstrating clinical value of 3D printing and best use of the technology

MD Anderson to expand proton therapy center with $159 million project Increases accessibility to higher number of patients

NY law requires coverage for medically necessary mammo for women under 40 More than 12,000 younger women diagnosed with breast cancer annually

Siemens diagnostics president to step down, new board member appointed CEO Bernd Montag will assume responsibility of the business unit

US Court of Appeals rejects Hologic petition to revisit patent invalidation Regards case against Minerva Surgical's Endometrial Ablation System

Hospital M&A revenue rose to $11.3 billion in Q2 this year Atrium Health acquiring Wake Forest Baptist Health was most notable

Touchstone Medical Imaging to pay $3 million settlement for security breach

by John R. Fischer , Staff Reporter
A medical imaging service provider in Tennessee has agreed to pay $3 million to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services as a settlement for a security breach that exposed the protected health information of more than 300,000 patients.

The result of an FTP server providing uncontrolled access to patients’ personal health information, the breach at Touchstone Medical Imaging led to the leaking of names, birth dates, social security numbers, and addresses among other information. The details were accessed and indexed by search engines, and remained on the internet even after the server was taken offline.

Story Continues Below Advertisement

THE (LEADER) IN MEDICAL IMAGING TECHNOLOGY SINCE 1982. SALES-SERVICE-REPAIR

Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.



“This information in the wrong hands could lead to identity theft, credit fraud, medical fraud, targeted phishing and a number of other attacks that take advantage of personal information,” Mac McMillan, CEO and president at cybersecurity consulting firm CynergisTek, told HCB News. “Moving forward, improving basic cyber hygiene, testing and monitoring their systems proactively will help to avoid this type of misstep. Improving incident response to include relations with Federal authorities trying to help you will also help mitigate risk.”

Notified by the FBI of the breach in May 2014, as well as OCR, Touchstone initially claimed that no patient PHI was exposed, only to later admit that the information of more than 300,000 patients was breached.

An investigation by OCR found that Touchstone waited several months to investigate after being notified of the breach by both the FBI and OCR, preventing patients from being alerted in a timely manner. It also discovered that the Franklin-based practice failed to conduct accurate and thorough risk analyses for potential risks and vulnerabilities within the confidentiality, integrity and availability of its electronic PHI, and that it did not have business associate agreements set up with its vendors, including its IT support vendor and a third-party data center provider, as required by HIPAA.

“Basically, Touchstone failed in its responsibility to understand its risk from its supply chain partners and their partners, which is not uncommon in healthcare. Simply having a business associate agreement is only the first step,” said McMillan. “Organizations need to articulate security requirements in contract documents, perform pre- and post-security reviews, and require vendors to provide updates when anything changes that could impact the security of their data. That includes downstream subcontractors to their supply chain partner.”
  Pages: 1 - 2 >>

U.S. Healthcare Homepage


You Must Be Logged In To Post A Comment