Touchstone Medical Imaging is a medical firm based in Brentwood Tenn., that provides services such as MRI, CT scans, Ultrasound and Mammography. Today the company announced that it suffered a data breach as the result of an open share that was exposed to the Internet.
This shared folder contained billing information of patients including Social Security numbers, names, addresses, date of birth, and phone numbers. Touchstone states that no medical information records were stored in this folder however, the company makes no mention of possible financial information being stored. It is a fair question as they indicated that the information was billing related.
This was a breach notice that took a very long time to come to light. The company became aware of the breach in May of 2014. Here we are five months later reading about because it did not think that any of the data had been accessed. But, in September the company “obtained new information” that suggested that the information could have been accessed. They further note that “health insurer name, radiology procedure and diagnosis” was included while saying that medical information was not included. The pieces do not fit together smoothly in this story.
Touchstone states, "We deeply regret any inconvenience this may cause you. To help prevent this from happening again, we are reinforcing the education of our employees and the monitoring of our systems regarding the protection of our patients’ information and continually reviewing and enhancing our policies and procedures.”
This begs a couple of questions. Why was an individual user able to share this folder on the Internet? Why were there no preventative controls in place to combat this failure in judgement like a firewall as an example? This strikes me that there is more here that needs to be addressed than simply security awareness training for their employees.
The company has committed to provide credit monitoring to all affected patients in this case and they will be getting in touch with them.