US Radiology Specialists, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In December 2021, US Radiology Specialists, Inc., a large private radiology group based in North Carolina, experienced a significant data breach. This incident led to the unauthorized access and theft of personal and health information of 198,260 patients, including 92,540 New Yorkers. The compromised data included sensitive information such as names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers[1][4][5].

The breach was attributed to US Radiology’s failure to promptly update its firewall, leaving its network and those of its partner companies, including Windsong Radiology Group, vulnerable to cyber threats. This negligence resulted in a ransomware attack that exploited a known vulnerability[1][4]. The New York Attorney General’s Office conducted an investigation into the breach, concluding that US Radiology had not adopted reasonable data security practices to protect its patients’ personal information[1][5].

As a result of the investigation, US Radiology Specialists agreed to a settlement with the New York Attorney General, Letitia James, which included a $450,000 penalty. The settlement also mandated US Radiology to implement several measures to enhance its data security practices. These measures include maintaining an updated information security program, creating an IT asset management program, encrypting patients’ personal information, developing a penetration testing program, and implementing policies for the permanent deletion of patients’ personal data when no longer needed[1][4][5].

This incident is part of a broader trend of increasing healthcare data breaches, highlighting the critical need for healthcare providers and their partners to prioritize and strengthen their cybersecurity measures to protect sensitive patient information[3].

Citations:

  1. https://ag.ny.gov/press-release/2023/attorney-general-james-secures-450000-medical-company-providing-services-western
  2. https://radiologybusiness.com/topics/healthcare-management/medical-practice-management/2-data-breaches-geographically-distant-yet
  3. https://www.hipaajournal.com/november-2023-healthcare-data-breach-report/
  4. https://radiologybusiness.com/topics/health-it/enterprise-imaging/imaging-informatics/us-radiology-specialists-will-pay-450k-failing-upgrade-hardware-prevent-ransomware-attack
  5. https://www.auntminnie.com/practice-management/medicolegal/article/15638332/us-radiology-fined-450k-in-data-breach
  6. https://hickoryrecord.com/news/state-regional/business/novant-eliminating-160-jobs-in-largest-workforce-reduction-in-8-years/article_2ec91a3f-30b9-5cbe-a77e-08e6ed553693.html
  7. https://ag.ny.gov/sites/default/files/settlements-agreements/us-radiology-aod.pdf
  8. https://www.wsj.com/articles/radiology-group-sues-broker-over-lapsed-cyber-insurance-policy-c3dee8b5
  9. https://www.dataguidance.com/news/new-york-ag-enters-450000-settlement-us-radiology-over
  10. https://radiologybusiness.com/topics/healthcare-management/medical-practice-management/class-action-follows-data-breach
  11. https://healthitsecurity.com/news/ny-ag-secures-450k-from-us-radiology-over-data-security-failures
  12. https://www.hipaajournal.com/february-2022-healthcare-data-breach-report/
  13. https://www.law.com/radar/card/young-v-us-radiology-specialists-inc-48321339-0/
  14. https://www.bankinfosecurity.com/ny-ag-hits-radiology-group-450k-fine-in-sonicwall-hack-a-23558
  15. https://www.classaction.org/media/j-hanna-et-al-v-us-radiology-specialists-inc.pdf
Breach Submission Date Feb 18, 2022
Converted Entity Name US Radiology Specialists, Inc.
Converted Entity Type Business Associate
State NC
Individuals Affected 87,552
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes