The Office for Civil Rights at the U.S. Department of Health and Human Services settled 10 cases totaling $28.7 million in 2018. Five months in, it's getting a start on 2019.

The OCR recently announced the first HIPAA settlement of the year, a $3M compromise stemming from a 2014 breach that exposed information on 300,000 patients.

A medical imaging service provider in Tennessee, Touchstone Medical Imaging, agreed to pay the fee back in April but news of the settlement wasn't announced until a month later, on May 6.

The company, which is headquartered in Franklin, TN, about half an hour outside of Nashville, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

The biggest misstep the company made was leaving one of its FTP servers exposed, something which allowed anyone on the internet access to data, including patient protected health information (PHI).

As if this wasn't troublesome enough, the provider bungled how it responded and remediated the incident. Touchstone was alerted about the exposed server in May by the FBI and OCR; more than five months later, in September, OCR determined the organization still hadn't identified, let alone mitigated the issue.

It was ultimately determined the determined, per HHS, that the server had been configured to allow anonymous FTP connections to a shared directory.

In addition to being exposed, search engines indexed the PHI of patients, allowing it to be seen by anyone, even after the server was taken down. Touchstone initially contested the fact that patient PHI had been exposed but eventually changed its tune after OCR began investigating the incident.

The result? The names, birth dates, social security numbers, and addresses of roughly 307,000 patients, free for the taking.

By waiting so long to investigate the incident, Touchstone botched the Federal standards for notification in the case of a breach of unsecured protected health information.

The company waited 147 days after it discovered the breach to notify affected individuals, nearly two and a half times the minimum time limit, required under the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. § 164.404.) for issuing notifications.

In addition to disclosing the PHI of individuals and neglecting to notify them, Touchstone also failed to inform media outlets of the breach, something which violates HIPAA 45 C.F.R. § 164.406.

At the core of the incident appears to be Touchstone’s inability to outline potential risks and vulnerabilities associated with the confidentiality and integrity of electronic PHI, along with its failure to implement policies and procedures, like those that would only allow access to FTP servers to certain employees.

As part of the settlement (.PDF) Touchstone will need to complete an accurate, thorough, enterprise-wide analysis of its security risks and vulnerabilities, including a review of any data systems, programs, apps, or equipment that either contain, store, transmit, or receive electronic protected health information.

Furthermore, as part of a Corrective Action Plan, agreed to by both Touchstone and HHS, the company also needs to revise policies around technical access controls to prevent impermissible access and disclosure of PHI, and technical mechanisms to create access and activity logs around suspicious events.