On May 6, 2019, Touchstone Medical Imaging agreed to pay $3 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle a data breach that exposed the protected health information (PHI) of over 300,000 patients, and potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.
The OCR investigation began in May 2014, after Touchstone was notified by the FBI and OCR that one of its FTP servers was breached and permitted search engines to index and display sensitive patient data on the Internet.