307,000 Patients Affected by Touchstone Medical Imaging Suffers 307K Patient Data Breach

by | Oct 23, 2014

A supplierer diagnostic radiology services has revealed that it has experienced a data breach that has potentially exposed the billing information and personal identifiers of 307,000 individuals from all across the U.S.A.

Touchstone Medical Imaging, LLC found that an infrequently used folder containing patient data was accessible via the Tnternet. The issue was identified on May 9, 2014 and access to the folder and the files stored in it was immediately revoked.

In a statement released by Touchstone Medical Imaging, that company said: “We immediately secured the folder and removed it from public view. We also began an internal investigation, which initially led us to believe that the patient information in the folder was not readable.” The statement added “On Sept. 5, 2014, we obtained new information that suggested that the patient information may have been readable and included patients’ names, dates of birth, addresses, telephone numbers, health insurer names, radiology procedures, diagnoses and in some instances, Social Security numbers. Medical records were not included.”

On October 3, in accordance with Privacy and Security Rules, TMI issued breach notification letters to all affected patients advising them of the possible exposure of some of their personal data. Although the files were publicly accessible, TMI had no reason to think that the data had been accessed or used improperly, and it commented that it was notifying patients “in abundance of caution”.

The data breach has been made known to the Department of Health and Human Services and the incident has now been posted online on what is often called its “Wall of Shame”. While this is not the biggest breach of data to occur this year, it certainly ranks as one of the biggest exposures of patient data this year.

The Office for Civil Rights reviews reports of data breaches and Touchstone could be hit with a financial penalty and other sanctions for the failure to properly protect the data of its patients. A breach of this size could incur a heavy financial penalty, although the seriousness of the breach, the significant risk of damage and the company’s attempts to stop any risk to data should be taken into consideration.

It would seem that the breach was caused by employee oversight or procedural IT mistakes. Earlier in 2014, the OCR investigated Phoenix Cardiac Surgery P.C for posting protected data in an online calendar which was publicly visible and it issued the healthcare provider with a $100,000 penalty. The extent of data exposed in this particular incident could see a more significant financial penalty applied.

This incident shows how a simple oversight can result in the exposure of hundreds of thousands of records and why a thorough risk analysis of all IT systems must be carried out to identify all weaknesses. Ongoing monitoring services are also necessary to ensure that systems remain safe and security breaches are identified in the shortest possible period of time.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy