I-Team Update: Touchstone imaging reports data breach to state
PLANO, Texas (CBSDFW.COM) - The I-Team has learned nearly 47,000 Texans have been impacted by what a medical imaging company told the I-Team three months ago was a "security incident."
Several viewers reached out to the I-Team after we reported in early January that patients who showed up for mammograms, MRIs, and medical scans at Touchstone Imaging locations were told their appointments were canceled looking for answers.
Touchstone Imaging is a medical scanning company based in Plano with offices all over the country.
Their normal operations resumed shortly after we began investigating, but in the following weeks, the I-Team asked the company repeatedly about the scope of the "security incident." We asked if patient information was compromised, and if so, what information.
In email responses, a spokesperson told us "…that is all the company has to share at this time." And, "We do not have anything further to share."
"I'm angry. I'm frustrated," said Sarah Hudson, who originally contacted the I-Team after her X-ray appointment in Plano was canceled. "I believed the girl at the front desk when she said, 'We've been hacked. We've been hacked.' "
Now, the I-Team has learned Touchstone Imaging reported to the Texas Attorney General on February 22 that 46,799 Texans were affected by a data security breach. Touchstone stated that the information affected included "Name of Individual, Address, Social Security Number information, Medical information, Health Insurance Information."
HB 3746 requires businesses to notify individuals and The Texas AG about data breaches.
"They needed to come clean. Why, why hold this information. Why not give out any information?" asked Hudson. She is angry no one provided her details of the breach sooner.
Touchstone also reported to the state that it mailed letters to the consumers affected.
Neither Hudson nor another patient who contacted the I-Team says they have received a letter. When Hudson emailed Touchstone to ask why she had not received a letter, she says she received this response:
"…We have sent letters to those individuals whose information we have identified in the documents to date. Our investigation of the documents involved is continuing. We are working as quickly as possible to identify the information in the rest of the documents we believe are involved, and will notify any affected individuals directly. We expect the review to take several months.
To date, we have not identified your information in the impacted documents. If you are interested in learning more about some best practices, you can review recommendations at the Federal Trade Commission's website, www.ftc.gov/idtheft."
Hudson says she responded to Touchstone by replying by email:
"So, as a patient that has to wait "several months" to find out if their PHI was affected, I have to take my own personal time to do the leg work for Touchstone Imaging! Is this correct? I wasn't the one that didn't have sufficient security measures in place to keep this data breach from occurring!"
The I-Team also went back to Touchstone Imaging asking about the report to the state.
A spokesperson sent us this statement:
"Touchstone Medical Imaging determined that the security incident that occurred in December of last year involved certain patient information. While there is no evidence that this incident resulted in fraud or misuse of the information involved, in February Touchstone directly notified individuals identified as having been impacted, and provided information about the steps they can take. We also set up a call center for any impacted patients that have additional questions. The call center can be reached at 1-855-604-1852, Monday through Friday between 9 AM – 9 PM Eastern Time. Touchstone Medical Imaging takes seriously the confidentiality and security of our patients' information. We continue to implement enhancements to information security, systems, and monitoring capabilities, and remain committed to providing the best care for our patients."
The I-Team also requested a copy of the letter sent to the affected patients. In response, a spokesperson referred us to this statement on its website.
The statement suggests you watch your bills and notify your insurance if you see any suspicious activity or billing.