A diagnostic medical imaging company from Tennessee has settled an investigated by the FBI and the Office of Civil Rights (OCR) at the U.S Department of Health and Human Services, which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The company was investigated for a breach in its servers that enabled unauthorized access to sensitive health information, included patients’ names, birth dates, social security numbers and addresses.
According to the settlement, patients’ health information remained accessible and visible on the internet even after the company’s server was taken offline, and the information was available for indexing by search engines.
The OCR found that the company did not investigate the breach for several months after it had been notified by the FBI and OCR, and failed to properly and timely notify its patients about the breach. It also found that the company failed to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the information it held, and failed to put in place appropriate agreements with its vendors and third party providers, as required by HIPAA.
In addition to the settlement payment, the company must take corrective actions to enter into proper agreements with its vendors, put in place policies and procedures in accordance with HIPPA, and conduct a comprehensive risk analysis.