A supplierer diagnostic radiology services has revealed that it has experienced a data breach that has potentially exposed the billing information and personal identifiers of 307,000 individuals from all across the U.S.A.
Touchstone Medical Imaging, LLC found that an infrequently used folder containing patient data was accessible via the Tnternet. The issue was identified on May 9, 2014 and access to the folder and the files stored in it was immediately revoked.
In a statement released by Touchstone Medical Imaging, that company said: “We immediately secured the folder and removed it from public view. We also began an internal investigation, which initially led us to believe that the patient information in the folder was not readable.” The statement added “On Sept. 5, 2014, we obtained new information that suggested that the patient information may have been readable and included patients’ names, dates of birth, addresses, telephone numbers, health insurer names, radiology procedures, diagnoses and in some instances, Social Security numbers. Medical records were not included.”
On October 3, in accordance with Privacy and Security Rules, TMI issued breach notification letters to all affected patients advising them of the possible exposure of some of their personal data. Although the files were publicly accessible, TMI had no reason to think that the data had been accessed or used improperly, and it commented that it was notifying patients “in abundance of caution”.
The data breach has been made known to the Department of Health and Human Services and the incident has now been posted online on what is often called its “Wall of Shame”. While this is not the biggest breach of data to occur this year, it certainly ranks as one of the biggest exposures of patient data this year.
The Office for Civil Rights reviews reports of data breaches and Touchstone could be hit with a financial penalty and other sanctions for the failure to properly protect the data of its patients. A breach of this size could incur a heavy financial penalty, although the seriousness of the breach, the significant risk of damage and the company’s attempts to stop any risk to data should be taken into consideration.
It would seem that the breach was caused by employee oversight or procedural IT mistakes. Earlier in 2014, the OCR investigated Phoenix Cardiac Surgery P.C for posting protected data in an online calendar which was publicly visible and it issued the healthcare provider with a $100,000 penalty. The extent of data exposed in this particular incident could see a more significant financial penalty applied.
This incident shows how a simple oversight can result in the exposure of hundreds of thousands of records and why a thorough risk analysis of all IT systems must be carried out to identify all weaknesses. Ongoing monitoring services are also necessary to ensure that systems remain safe and security breaches are identified in the shortest possible period of time.