Touchstone Medical Imaging, a provider of diagnostic imaging services in the United States, has been fined $3 million by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) after investigators concluded that the clinic has been negligent handling sensitive health records. According to the HHS press release, in May 2014, Touchstone was notified by the FBI and OCR that its servers were leaking patient health information (PHI) on the Internet. “This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline,” according to the report. Faced with these claims, Touchstone initially denied it was exposing patient health records. Touchstone reportedly took “several months” to even begin to investigate the leak, leaving patients vulnerable to fraud, blackmail and other types of risks associated with hackers getting their hands on such data.