HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach

A class action lawsuit has been filed in the New York Southern District Court against a radiology company and its vendor. The radiology specialists are alleged to have failed to secure their Picture Archiving Communication System (PACS) which contained the protected health information and medical images of patients.

In 2019, security researchers identified vulnerabilities in the PACS used by hospitals, clinics, and radiology companies to share medical images and data. The researchers analyzed more than 2,300 medical images, which were found to contain sensitive patient data. Northeast Radiology and its vendor, Alliance HealthCare Services, were among the companies affected and were notified about the exposed data by the researchers in December 2019.

Both radiology firms used medical imaging archiving software that permitted unauthorized individuals to gain access to medical images and protected health information. The researchers identified 61 million X-rays, CT scans, and MRIs that had been exposed, which included protected health information such as names, test results, medical record numbers, dates of service and, in some cases, Social Security numbers.

In March 2020, Northeast Radiology reported a PACS-related data breach to the Department of Health and Human Services Office for Civil Rights as affecting 298,532 individuals. The breach report explained that Alliance Health had exposed medical images and that its PACS was accessed by hackers between April 2019 and January 2020.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The lawsuit was filed by two patients against Northeast Radiology and Alliance HealthCare and alleges patient data was exposed for more than 9 months. According to the lawsuit, both companies were notified about the exposed data by the security researchers but failed to take any action to secure their PACS.

The lawsuit alleges the defendants were negligent and violated the Health Insurance Portability and Accountability Act (HIPAA) and state data protection laws by carelessly handling patient data and medical images, and also violated Federal Trade Commission (FTC) requirements. As a result of the failures, direct injury is alleged to have been caused to the plaintiffs and class members, including placing them at an increased risk of identity theft and fraud. In addition to exposing their protected health information, the lawsuit alleges insufficient notification was provided to victims of the data breach.

The patients seek compensatory and consequential damages and injunctive relief, including requiring the companies to make improvements to data security and monitoring, and submitting to future audits of their systems to ensure they are secured. The lawsuit also seeks credit monitoring and identity theft protection services for all class members.

Alliance Healthcare Services has said it plans to “vigorously defend” itself, and that the claims made in the lawsuit are “unfounded”.

In late June, the U.S. Department of Health and Human Services warned 130 hospitals and health systems about vulnerabilities in PACS that exposed sensitive healthcare data and urged them to take prompt action to ensure their PACS are correctly configured and patient data protected. The PACS used by those hospitals contained 275 million medical images, which included the protected health information of more than 2 million patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.