Skip to main content

One Key Takeaway from $3 Million Penalty by HHS for Exposing 300,000 Patient Records

May 7, 2019

The United States Department of Health and Human Services reached an agreement with Touchstone Medical Imaging in which Touchstone agreed to pay $3 million and adopt a corrective action plan in the wake of its data breach that exposed over 300,000 patients’ protected health information.

On the surface this settlement, like many other HHS settlements, may seem harsh when looking at only the amount of money vis-a-vis the number of patients affected. It has become quite common for those who find themselves in the crosshairs of an HHS investigation to say that the agency acts too harshly and that the money HHS is fining companies would be better spent on those companies’ security practices. Unfortunately, those who feel this way do not understand what HHS (and most other regulatory agencies) are trying to accomplish, which leads to the key takeaway from this settlement.


HHS is trying to get companies to comply with the law and, more broadly, their obligation to protect the sensitive information that people have entrusted to them.  We have handled numerous cases where HHS could have imposed penalties on companies but did not because it was clear that the companies were being diligent and were trying to get it right. They may not have gotten it right. there may have been breaches that exposed patients’ information. But, they were trying.

Now, looking at HHS’ actions through this lens, consider the following facts HHS provided about the Touchstone case:

  • “In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information (PHI). This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”
  • “Touchstone initially claimed that no patient PHI was exposed.”
  • “[D]uring OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including names, birth dates, social security numbers, and addresses.”
  • “OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.”

Mistakes happen every day. Everyone understands that when it comes to cybersecurity there is no such thing as being completely “secure.” But, when a company learns that it has had an event that is likely to have compromised the privacy of people’s sensitive information, they have to take it seriously and act diligently in investigating and responding to that event. They have to try to get it right. If they don’t, they will likely pay a price for it.

This blog post was drafted by Shawn Tuma, a Partner in the Dallas – Collin County, TX office of Spencer Fane LLP. For more information, visit