New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000
New York Attorney General, Letitia James, has announced a $450,000 settlement with U.S. Radiology Specialists Inc. to resolve allegations it failed to protect patients’ personal and health information. U.S. Radiology Specialists is one of the largest private radiology groups in the country and acts as a service provider for healthcare facilities throughout the United States. It also partners with other radiology groups, including the Windsong Radiology Group, which operates 6 facilities in Western New York. Windsong, like other partner companies, relies on U.S. Radiology Specialists for numerous services, including network management and protection. The Office of the Attorney General of the State of New York opened an investigation of U.S. Radiology Specialists into a large data breach that was reported in 2021 to determine whether it was caused by a failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws.
U.S. Radiology Specialists protected the networks of its partners with a SonicWall firewall. On January 22, 2021, SonicWall alerted its customers about a coordinated cyberattack on its internal systems. Highly capable threat actors were thought to have exploited a zero-day vulnerability in SonicWall products that are used for remote access. A few days later on January 31, 2021, researchers at NCC Group identified the likely vulnerability and SonicWall issued a patch three days later.
U.S. Radiology Specialists used SonicWall hardware that was approaching end-of-life and, as a result, SonicWall did not provide a patch that could be applied to its hardware. The hardware needed to be upgraded before the patch could be applied to fix the vulnerability. Even though the vulnerability was known to have been exploited in attacks on SonicWall customers, U.S. Radiology Specialists scheduled the hardware upgrade for July 2021, and the hardware replacement project was then delayed due to competing priorities and resource restraints.
On December 8, 2021, an unauthorized individual gained access to US Radiology’s SonicWall device with valid credentials, accessed the VPN, and then leveraged 101 additional credentials to access various network data folders over the following week. While the investigation into the breach did not confirm how the credentials were stolen, the SQL injection vulnerability identified by NCC Group and patched by SonicWall could have been exploited to obtain the necessary credentials to access the SonicWall VPN.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The third-party investigation of the attack was complicated and required extensive analysis and took until August 2022 to complete. The investigation confirmed that the threat actor gained access to the protected health information (PHI) of 198,260 patients, including 92,540 Windsong patients who were New York residents, and it was confirmed that sensitive data had been exfiltrated by the attackers. The PHI that was exposed in the attack included names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers, as well as the private information of 82,478 New Yorkers, which included names, driver’s license numbers, passport numbers, and Social Security numbers.
The New York Attorney General’s Office determined that U.S. Radiology Specialists had failed to adopt reasonable and appropriate data security practices to protect patient information when it failed to address a known vulnerability in a reasonable time frame. The investigation was settled with no admission of liability and U.S. Radiology Specialists agreed to pay a $450,000 financial penalty, update its IT infrastructure, ensure its networks are secured, update its data security policies, and implement and maintain a comprehensive information security program.
“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”
The New York Attorney General has imposed financial penalties on several organizations over the past few months for data security failures. Personal Touch recently settled alleged HIPAA and state law violations for $350,000, the New York Attorney General participated in a multi-state investigation of Blackbaud and received a share of the $49.5 million settlement, and PracticeFirst Medical Management Solutions settled its investigation with the New York AG and paid a $550,000 penalty.
