[BreachExchange] $3 Million HIPAA Settlement in Delayed Breach Response Case

[Destry Winant]

https://www.databreachtoday.com/3-million-hipaa-settlement-in-delayed-breach-response-case-a-12451

Federal regulators have reached a $3 million HIPAA settlement in a
case alleging that a medical imaging services provider delayed
investigating and mitigating a breach involving patient information
leaking onto the internet via a web server - and delayed notification
of victims as well.


The Department of Health and Human Services' Office for Civil Rights
says in a Monday statement that the resolution agreement and
corrective action plan for Franklin, Tennessee-based Touchstone
Medical Imaging stems from a 2014 breach that affected 307,000
individuals.

Touchstone provides diagnostic medical imaging services in several
states, including Nebraska, Texas, Colorado, Florida and Arkansas.

OCR Tipped Off

In the resolution agreement, OCR notes that on May 9, 2014, the
agency's headquarters received an email alleging that Social Security
numbers of Touchstone patients were exposed online via an insecure
file transfer protocol web server.

OCR confirmed on May 12, 2014, that PHI for Touchstone patients,
including some Social Security numbers, was visible via a Google
search. The agency says it also learned that the FBI notified TMI of
the insecure FTP on May 9, 2014.

"On August 19, 2014, OCR sent a letter notifying TMI of its
investigation of the breach and TMI's compliance with the [HIPAA]
privacy, security, and breach notification rules," the resolution
agreement notes.

"OCR's investigation revealed that the name, date of birth, phone
number, addresses - and in some instances, Social Security numbers -
of 307,839 individuals had been accessible to the public through the
insecure FTP server," OCR says in the agreement. "It was determined
that the server was configured to allow anonymous FTP connections to a
shared directory."

In its statement, OCR notes that the uncontrolled access permitted
search engines to index the PHI of Touchstone's patients, which
remained visible on the internet even after the server was taken
offline.

"Touchstone initially claimed that no patient PHI was exposed," OCR
says. "However, during OCR's investigation, Touchstone subsequently
admitted that the PHI of more than 300,000 patients was exposed.

"OCR's investigation found that Touchstone did not thoroughly
investigate the security incident until several months after notice of
the breach from both the FBI and OCR. "Consequently, Touchstone's
notification to individuals affected by the breach was also untimely."

OCR's HIPAA Breach Reporting Tool website notes that the incident was
reported to OCR on Oct. 3, 2014, as an unauthorized access/disclosure
breach involving a network server.

The resolution agreement notes that Touchstone did not notify affected
individuals or the news media until 147 days after it discovered the
breach. Under HIPAA, breaches affecting 500 or more individuals must
be reported within 60 days.

"My initial reaction is that this incident is the poster child for
'willful neglect'," says privacy attorney David Holtzman of security
consultancy CynergisTek. "OCR alleges that Touchstone failed to take
adequate steps to prevent further harm from the incident for over four
months after becoming aware of the their patient's PHI was vulnerable
to disclosure through their unsecured FTP site."

OCR also alleged that Touchstone continued to allow a vendor to have
access to PHI without having the required business associate agreement
in place, he adds.

Slow Response

The Touchstone incident spotlights the importance of addressing
breaches swiftly once they are discovered, especially if the
organization learns about the incident through notification by
government regulators or a law enforcement agency.

"If a covered entity or business associate is notified of a breach by
not one, but two, government agencies, the organization should respond
rapidly and make mitigation and recovery a top business priority,"
says Kate Borten, president of privacy and security consulting firm
The Marblehead Group.

The OCR investigation also indicated that Touchstone did not address
the mitigation in a timely manner, she notes. "If the server was
offline, but HHS reported the data was still visible, that suggests
there were additional copies of the data that continued to be exposed.
In other words, the mitigation process was incomplete," Borten says.

OCR says its breach investigation found that Touchstone failed to
conduct an accurate and thorough security risk analysis and failed to
have business associate agreements in place with its vendors,
including an IT support vendor and a third-party data center provider,
the agency notes.

"Covered entities must respond to suspected and known security
incidents with the seriousness they are due, especially after being
notified by two law enforcement agencies of a problem," says OCR
Director Roger Severino. "Neglecting to have a comprehensive,
enterprisewide risk analysis, as illustrated by this case, is a recipe
for failure."

Touchstone did not immediately respond to an Information Security
Media Group request for comment on the settlement.

Corrective Action Plan

In addition to the monetary settlement, OCR notes that Touchstone will
undertake "a robust corrective action plan." That includes:

- Adoption of business associate agreements;
- Completion of an enterprisewide risk analysis;
- Review and revision of written policies and procedures to comply
with the HIPAA privacy, security and breach notification rules.

Lower Fines?

The settlement with Touchstone is the first announced since OCR on
April 26 revealed that it is lowering the maximum annual caps on civil
monetary penalties for less egregious HIPAA violations (see: HHS
Lowers Some HIPAA Fines).

HHS will keep its revised interpretation of the HITECH Act penalty
caps in mind "for all enforcement operations," Severino told members
of the news media on April 26. That includes cases involving civil
monetary penalties as well as when OCR negotiates HIPAA settlements
that include corrective actions "and monies in lieu of civil monetary
penalties," he says.

Other Settlements

The settlement with Touchstone is OCR's second HIPAA enforcement
action announced this year.

In February, OCR announced a $3 million settlement with
California-based healthcare provider Cottage Health in the wake of the
agency's investigation into two breaches that occurred in 2013 and
2015, affecting a total of 62,500 individuals.

While the settlement with Cottage Health was announced in February,
OCR says its agreement with the entity was reached in December of
2018.

In 2018, OCR settled 10 cases and was granted summary judgment in a
case before a HHS administrative law judge, with penalties totaling
$28.7 million. That includes a record $16 million settlement with
health plan Anthem Inc. related to a 2014 cyberattack that impacted
the data of nearly 79 million individuals.

Server Woes

The root cause of the Touchstone breach was that the organization did
not properly secure its servers, resulting in exposing patient data to
the internet, Holtzman says.

"This represents a fundamental failure to practice minimum information
security practices. We have seen these incidents over and over again
with organizations that use cloud-based computing technology, vendors
and healthcare billing services."

Other data breaches involving misconfigured servers have also resulted
in enforcement actions by some state agencies.

For instance, New Jersey's attorney general's office last year smacked
Virtua Medical Group with a $418,000 settlement for a 2016 breach
involving a server misconfiguration that publicly exposed PHI of 1,654
patients.

That office also signed a $200,000 settlement with Virtua's business
associate, Best Medical Transcription, for the same incident. In
addition, as part of that agreement, Best Medical Transcription's
owner has been banned from managing or owning a business in the state
(see: Breach Settlement Has Unusual Penalty).