Share this article on:
A class action lawsuit has been filed in the New York Southern District Court against a radiology company and its vendor. The radiology specialists are alleged to have failed to secure their Picture Archiving Communication System (PACS) which contained the protected health information and medical images of patients.
In 2019, security researchers identified vulnerabilities in the PACS used by hospitals, clinics, and radiology companies to share medical images and data. The researchers analyzed more than 2,300 medical images, which were found to contain sensitive patient data. Northeast Radiology and its vendor Alliance Health were among the companies affected and were notified about the exposed data by the researchers in December 2019.
Both radiology firms used medical imaging archiving software that permitted unauthorized individuals to gain access to medical images and protected health information. The researchers identified 61 million X-rays, CT scans, and MRIs that had been exposed, which included protected health information such as names, test results, medical record numbers, dates of service and, in some cases, Social Security numbers.
In March 2020, Northeast Radiology reported a PACS-related data breach to the Department of Health and Human Services Office for Civil Rights as affecting 298,532 individuals. The breach report explained that Alliance Health had exposed medical images and that its PACS was accessed by hackers between April 2019 and January 2020.
The lawsuit was filed by two patients against Northeast Radiology and Alliance HealthCare and alleges patient data was exposed for more than 9 months. According to the lawsuit, both companies were notified about the exposed data by the security researchers but failed to take any action to secure their PACS.
The lawsuit alleges the defendants were negligent and violated the Health Insurance Portability and Accountability Act (HIPAA) and state data protection laws by carelessly handling patient data and medical images, and also violated Federal Trade Commission (FTC) requirements. As a result of the failures, direct injury is alleged to have been caused to the plaintiffs and class members, including placing them at an increased risk of identity theft and fraud. In addition to exposing their protected health information, the lawsuit alleges insufficient notification was provided to victims of the data breach.
The patients seek compensatory and consequential damages and injunctive relief, including requiring the companies to make improvements to data security and monitoring, and submitting to future audits of their systems to ensure they are secured. The lawsuit also seeks credit monitoring and identity theft protection services for all class members.
Alliance Healthcare Services has said it plans to “vigorously defend” itself, and that the claims made in the lawsuit are “unfounded”.
In late June, the U.S. Department of Health and Human Services warned 130 hospitals and health systems about vulnerabilities in PACS that exposed sensitive healthcare data and urged them to take prompt action to ensure their PACS are correctly configured and patient data protected. The PACS used by those hospitals contained 275 million medical images, which included the protected health information of more than 2 million patients.