settlement no phi reallyThe latest HIPAA PHI breach violation settlement with OCR was announced recently.  Ironically, the settlement was announced just after the reduction of maximum penalties was announced by HHS with Touchstone Medical Imaging was for $3,000,000.  Just how bad was this violation to get hit with this level of penalties plus the 2-year corrective action plan?

HIPAA For MSPs by David Sims No PHI exposed. Really?
00:00:00 00:00:00

Touchstone Medical Imaging, based in Franklin, TN, is a diagnostic medical imaging provider with patients in Tennessee, Nebraska, Texas, Colorado, Florida, and Arkansas has agreed to an HHS settlement over a data breach.  It is pretty easy to tell why they got hit so hard with just the summary in the press release.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information (PHI).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.

Touchstone initially claimed that no patient PHI was exposed.  

Stop right there!  Before we go any further. Say what?!?  Seriously, they claimed nothing was exposed.  The next bit explains why they probably tried to claim that no PHI was exposed.

However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including names, birth dates, social security numbers, and addresses.

Of course!  “It didn’t contain diagnostic information so it wasn’t PHI”.  I bet you that was their argument.  One has to wonder just how far people will go to ditch responsibility for protecting patient information.  The really irritating thing is you don’t get to choose this provider.  It is like a third-party BA where you don’t have any idea who is doing the work to read the images from x-rays, MRIs, and other tests.

OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach was also untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

Director Severino didn’t mince words just like his usual statement in these cases.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Let’s talk about what is in the actual settlement document, not just the press release.  It is always way more interesting.  First, the number of patients involved was more than 300K it was 307,839.  That extra bit is a major breach by itself so let’s don’t overlook it.

Also, let’s look at the little point about not having a BAA in place with their IT support vendor nor data center.  The settlement lists it pretty clearly when it points out there was not one in place with “MedIT Associates” until June 2, 2016 and that they continue to engage “XO Communications” without one in place.  CONTINUE???

The timeline is:

    • May 9, 2014 TMI was emailed by FBI
    • May 12, 2014 OCR checked to see if the PHI could be found by a Google search.  One must assume the FBI let them know, too.
    • Aug 19, 2014 OCR sent TMI a letter notifying them of the investigation of the breach and their HIPAA compliance.
    • September 26, 2014 TMI finally addressed the security incident that was pointed out in May
    • October 3, 2014 notified patients and the media, 147 days from the date it discovered the breach
    • June 2, 2016 BAA signed
    • April 3, 2019 TMI signs resolution agreement
    • May 6, 2019 OCR press release by OCR

Supposedly, they did an SRA April 3, 2014 according to the settlement details.  Not sure what that involved since they couldn’t properly identify PHI shortly after that in May.  It may have been one of those let us run a scan and write you a report kind of assessments.  It doesn’t appear to have been much of one since the lack of a proper SRA is one of their violations as well as the first thing that is required in the CAP.

It is clear that they had a lot of failures in their program.  One of the biggest concerns was that they STILL had not gotten a BAA with the data center.  There is so much that is not known based on what has been published.  However, no matter how you look at this one, someone thought they knew what to do with HIPAA or there was a complete disregard for doing anything other than the bare minimum.

It isn’t the big PHI exposures that do the most damage

While the big breaches get the big news, the small ones are almost always the ones that do the most damage to individuals.  This story just came out as I was writing these notes.  It makes my blood boil that someone thinks that this kind of thing is EVER ok.

A hospital in northeast Kansas divulged intimate private details of a woman’s sexual assault evaluation and treatment to her rapist, according to a lawsuit filed Wednesday in federal court.

And months later, after a “barrage” of harassment, the woman was raped again by the same man, according to the suit.

The woman filed the lawsuit against Atchison Hospital and the X‐ray technician accused of disclosing the patient’s information to her attacker.

The technician was fired by the hospital but was rehired at Saint Luke’s Cushing Hospital in Leavenworth County not long after, according to the petition.

Yes, it sounds bad.  And it IS that bad.

The privately-owned hospital betrayed its patient when the technician called the woman’s alleged assailant and told him the woman accused him of sexual violence, according to the lawsuit.

The employee also disclosed other private information, something the patient did not consent to, the lawsuit said. The technician denied she disclosed the information.

After getting the confidential information, the woman’s assailant “relentlessly” harassed and threatened her through texts and phone calls, according to the lawsuit. He sent her graphic language and pornographic content, the woman’s lawyers said.

The patient was also harassed by hospital staff, according to the lawsuit.

Nearly four months after the privacy breach, the technician was terminated, according to the lawsuit. But she was hired to work at Saint Luke’s Cushing Hospital after the Atchison hospital provided a positive reference or failed to communicate facts about her employment, the woman’s attorneys said.

A hospital official sent the patient a letter “expressing deep regret” and apologizing for the breach, according to the lawsuit. In its letter, the hospital said the employee did not appear to be a member of the woman’s “immediate health care team.”

I hope the tech gets the max of 10 years in prison and $250,000 fine if this turns out to be true.  We talk about protecting patients but this level of attack has not been something we saw as a real threat.  Now, we do.

There is a reason we want to educate people.  This case of over 300K patients impacted with one breach and the potential of another woman’s suffering from criminal acts as a result of another privacy breach.  This isn’t just simply about some rules or paperwork.  This is about the damage that could be done to real people due to their information not being treated with the proper respect it deserves.