Although the FBI notified Touchstone Medical Imaging that the protected health information (PHI) of some of its patients was visible in a Google search, Touchstone kept the information to itself. But bad news travels fast, and the HHS Office for Civil Rights (OCR) confirmed the breach. Now Touchstone, a diagnostic imaging company based in Franklin, Tennessee, has agreed to pay $3 million to settle potential HIPAA violations over the disclosure of 307,839 people’s PHI, its failure to conduct an adequate security risk assessment, and other potential violations, OCR said May 6.

“From May 9, 2014 to September 26, 2014, [Touchstone] failed to accurately identify and respond to a known security incident, mitigate, to the extent practicable, the harmful effects of the security incident, and document the security incident and its outcome,” OCR’s investigation indicated, according to the resolution agreement. The PHI was still visible on the internet after the server was taken offline, OCR said.

When it was initially informed about the problem, Touchstone claimed that “no patient PHI was exposed,” OCR said. During the investigation, however, Touchstone acknowledged the PHI exposure.

“When you are contacted by OCR and the FBI, it’s probably not a good idea to do nothing or tell them initially no PHI was breached,” says Chris Apgar, president of Apgar & Associates. “The regulations have been with us since 2003 [privacy] and 2005 [security], so there is no excuse here.” Organizations should have security risk assessments and incident response plans well in hand (see box below).

“We don’t typically see organizations that don’t have risk assessment and risk management programs, including penetration testing and vulnerability scans, and incident response plans, but we often see organizations that are struggling to have more of a robust security program,” says attorney Joseph Dickinson, with Smith Anderson in Raleigh, North Carolina.