Touchstone Medical Fined $3 Million for Delayed Incident Response
Touchstone Medical Imaging (TMI) experienced a data breach affecting 307,000 patients. A misconfigured server exposed patient information, making it searchable through Google’s search engine. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) was notified via email of the incident.
The FBI contacted Touchstone to inform them of the incident. However, TMI waited four months before they investigated the incident. Additionally, TMI failed to notify affected individuals in a timely fashion, waiting 147 days before sending out breach notification letters. As a result, TMI was fined $3 million for delayed notification, as well as vendor mismanagement, and failure to conduct an accurate risk assessment.
What are the Requirements for Incident Response?
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to report security incidents to the Office for Civil Rights (OCR). HIPAA defines a security incident as,“the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Depending on the size of the incident, breach notification requirements differ slightly.
- Meaningful Breach: affecting more than 500 individuals, a meaningful breach must be reported within 60 days of discovery. The incident must be reported to the OCR, affected individuals, and the media.
- Minor Breach: affecting less than 500 individuals, a minor breach must be reported by the end of the calendar year. The incident must be reported to the OCR and affected individuals.
To prevent future incidents from occurring, organizations must develop corrective action plans. Corrective action plans must address the gaps in security measures that allowed the breach to occur. In addition to HIPAA breach notification requirements, it is important that healthcare organizations are aware of state reporting requirements, which are often more strict than the federal law.
Developing an Incident Response Plan
Having an incident response plan allows for the quick identification and reporting of security incidents. An incident response plan determines who is responsible for what in the event of a breach.
It also tells employees how to:
- Detect an incident
- Contain an incident
- Correct the situation
- Recover lost data
An incident response plan determines procedures to follow to mitigate the impact of the breach. The following should be included in an incident response plan:
- What to do when an incident is suspected
- Who is responsible for evaluating the situation to determine if the incident is actionable
- How to quickly respond to limit damage
- How to find the source of the incident and how to address the incident
- How to recover from the incident
- Who ensures that changes are made to prevent future incidents
To develop an effective incident response plan, organizations must account for different scenarios. Some of the most common breach incidents include:
- Phishing attacks
- Ransomware attacks
- Theft or loss of equipment
- Unauthorized system access
- Insider issues
- Security failures
Developing an incident response plan allows organizations to quickly identify and respond to security incidents. A security incident that is detected quickly, limits the impact of the breach, in turn affecting less patients and minimizing the costs associated with the breach.
This is Part IX of the XI-part blog series. You can also read Parts I to VIII below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the ninth of which is incident response. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention
- HIPAA Asset Management (Part VI)
- Network Management (Part VII)
- Vulnerability Management (Part VIII)
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.