• United States




Touchstone Medical Imaging reveals data breach

Oct 03, 20142 mins
Data Breach

Touchstone Medical Imaging is a medical firm based in Brentwood Tenn., that provides services such as MRI, CT scans, Ultrasound and Mammography. Today the company announced that it suffered a data breach as the result of an open share that was exposed to the Internet.

This shared folder contained billing information of patients including Social Security numbers, names, addresses, date of birth, and phone numbers. Touchstone states that no medical information records were stored in this folder however, the company makes no mention of possible financial information being stored. It is a fair question as they indicated that the information was billing related.

This was a breach notice that took a very long time to come to light. The company became aware of the breach in May of 2014. Here we are five months later reading about because it did not think that any of the data had been accessed. But, in September the company “obtained new information” that suggested that the information could have been accessed. They further note that “health insurer name, radiology procedure and diagnosis” was included while saying that medical information was not included. The pieces do not fit together smoothly in this story.

Touchstone states, “We deeply regret any inconvenience this may cause you. To help prevent this from happening again, we are reinforcing the education of our employees and the monitoring of our systems regarding the protection of our patients’ information and continually reviewing and enhancing our policies and procedures.”

This begs a couple of questions. Why was an individual user able to share this folder on the Internet? Why were there no preventative controls in place to combat this failure in judgement like a firewall as an example? This strikes me that there is more here that needs to be addressed than simply security awareness training for their employees.

The company has committed to provide credit monitoring to all affected patients in this case and they will be getting in touch with them.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author