On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”.  As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.   

Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached.  FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.