The latest HIPAA PHI breach violation settlement with OCR was announced recently. Ironically, the settlement was announced just after the reduction of maximum penalties was announced by HHS with Touchstone Medical Imaging was for $3,000,000. Just how bad was this violation to get hit with this level of penalties plus the 2-year corrective action plan?
Touchstone Medical Imaging, based in Franklin, TN, is a diagnostic medical imaging provider with patients in Tennessee, Nebraska, Texas, Colorado, Florida, and Arkansas has agreed to an HHS settlement over a data breach. It is pretty easy to tell why they got hit so hard with just the summary in the press release.
Touchstone initially claimed that no patient PHI was exposed.
Stop right there! Before we go any further. Say what?!? Seriously, they claimed nothing was exposed. The next bit explains why they probably tried to claim that no PHI was exposed.
Of course! “It didn’t contain diagnostic information so it wasn’t PHI”. I bet you that was their argument. One has to wonder just how far people will go to ditch responsibility for protecting patient information. The really irritating thing is you don’t get to choose this provider. It is like a third-party BA where you don’t have any idea who is doing the work to read the images from x-rays, MRIs, and other tests.
Director Severino didn’t mince words just like his usual statement in these cases.
Let’s talk about what is in the actual settlement document, not just the press release. It is always way more interesting. First, the number of patients involved was more than 300K it was 307,839. That extra bit is a major breach by itself so let’s don’t overlook it.
Also, let’s look at the little point about not having a BAA in place with their IT support vendor nor data center. The settlement lists it pretty clearly when it points out there was not one in place with “MedIT Associates” until June 2, 2016 and that they continue to engage “XO Communications” without one in place. CONTINUE???
The timeline is:
- May 9, 2014 TMI was emailed by FBI
- May 12, 2014 OCR checked to see if the PHI could be found by a Google search. One must assume the FBI let them know, too.
- Aug 19, 2014 OCR sent TMI a letter notifying them of the investigation of the breach and their HIPAA compliance.
- September 26, 2014 TMI finally addressed the security incident that was pointed out in May
- October 3, 2014 notified patients and the media, 147 days from the date it discovered the breach
- June 2, 2016 BAA signed
- April 3, 2019 TMI signs resolution agreement
- May 6, 2019 OCR press release by OCR
Supposedly, they did an SRA April 3, 2014 according to the settlement details. Not sure what that involved since they couldn’t properly identify PHI shortly after that in May. It may have been one of those let us run a scan and write you a report kind of assessments. It doesn’t appear to have been much of one since the lack of a proper SRA is one of their violations as well as the first thing that is required in the CAP.
It is clear that they had a lot of failures in their program. One of the biggest concerns was that they STILL had not gotten a BAA with the data center. There is so much that is not known based on what has been published. However, no matter how you look at this one, someone thought they knew what to do with HIPAA or there was a complete disregard for doing anything other than the bare minimum.
It isn’t the big PHI exposures that do the most damage
While the big breaches get the big news, the small ones are almost always the ones that do the most damage to individuals. This story just came out as I was writing these notes. It makes my blood boil that someone thinks that this kind of thing is EVER ok.
And months later, after a “barrage” of harassment, the woman was raped again by the same man, according to the suit.
The woman filed the lawsuit against Atchison Hospital and the X‐ray technician accused of disclosing the patient’s information to her attacker.
The technician was fired by the hospital but was rehired at Saint Luke’s Cushing Hospital in Leavenworth County not long after, according to the petition.
Yes, it sounds bad. And it IS that bad.
The employee also disclosed other private information, something the patient did not consent to, the lawsuit said. The technician denied she disclosed the information.
After getting the confidential information, the woman’s assailant “relentlessly” harassed and threatened her through texts and phone calls, according to the lawsuit. He sent her graphic language and pornographic content, the woman’s lawyers said.
The patient was also harassed by hospital staff, according to the lawsuit.
Nearly four months after the privacy breach, the technician was terminated, according to the lawsuit. But she was hired to work at Saint Luke’s Cushing Hospital after the Atchison hospital provided a positive reference or failed to communicate facts about her employment, the woman’s attorneys said.
A hospital official sent the patient a letter “expressing deep regret” and apologizing for the breach, according to the lawsuit. In its letter, the hospital said the employee did not appear to be a member of the woman’s “immediate health care team.”
I hope the tech gets the max of 10 years in prison and $250,000 fine if this turns out to be true. We talk about protecting patients but this level of attack has not been something we saw as a real threat. Now, we do.
There is a reason we want to educate people. This case of over 300K patients impacted with one breach and the potential of another woman’s suffering from criminal acts as a result of another privacy breach. This isn’t just simply about some rules or paperwork. This is about the damage that could be done to real people due to their information not being treated with the proper respect it deserves.