Sunday, October 5, 2014

BREACH: Touchstone Medical Imaging (

Touchstone Medical Imaging is a company that is based in Brentwood Tennessee. This is a medical firm that provides services such as MRI, CT scans, Ultrasound and Mammography. Today they announced that they suffered a data breach as the result of an open share that was exposed to the Internet.

This shared folder contained billing information of patients including Social Security numbers, names, addresses, date of birth, and phone numbers. They state that no medical information records were stored in this folder however, they make no mention of possible financial information being stored. It is a fair question as they indicated that the information was billing related.

This was a breach notice that took a very long time to come to light. The company became aware of the breach in May of 2014. Here we are five months later reading about because they did not think that any of the data had been accessed. But, in September they “obtained new information” that suggested that the information could have been accessed. They further note that “health insurer name, radiology procedure and diagnosis” was included while saying that medical information was not included. The pieces do not fit together smoothly in this story.

Touchstone states, "We deeply regret any inconvenience this may cause you. To help prevent this from happening again, we are reinforcing the education of our employees and the monitoring of our systems regarding the protection of our patients’ information and continually reviewing and enhancing our policies and procedures.”

This begs a couple of questions. Why was an individual user able to share this folder on the Internet? Why were there not preventative controls in place to combat this failure in judgement like a firewall as an example? This strikes me that there is more here that needs to be addressed than simply security awareness training for their employees.

The company has committed to provide credit monitoring to all affected patients in this case and they will be getting in touch with them.

Type: PHI
Area: Medical Imaging
First Noted: 4 Oct 2014
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

No comments:

Post a Comment