A diagnostic medical imaging services company based in Franklin, TN to is going to have to pay $3,000,000 for 300,000 patient ePHI breach.
The company, Touchstone, made a few errors along the way, which could have contributed to the breach, and the HHS and OCR cited them for these.
First, they reportedly did not have Business Associate Agreements in place. Second, a Risk Assessment had not been performed. Third, once aware of the situation, Touchstone did not report the breach for months. All of these can be seen as egregious violations, as they are all required by law. These no doubt contributed to the hefty fine.
The firm now has a resolution agreement and corrective action plan in place.