The New York Attorney General has imposed a $450,000 fine on US Radiology Specialists, a large physician-owned radiology group, in the aftermath of a 2021 ransomware incident affecting nearly 200,000 patients, with a particular impact on approximately 93,000 New Yorkers. The settlement requires the radiology group to enhance its data security and network security practices, including the implementation of an IT asset management program, encryption of patient data, penetration testing, and the establishment of policies for the permanent deletion of patient data when no longer needed.
Furthermore, the incident involved the exploitation of a zero-day vulnerability in the radiology group’s end-of-life SonicWall firewall, which was left unpatched despite a firmware patch being released by SonicWall in February 2021. The delayed replacement project allowed threat actors to access the firewall in December 2021, leading to the compromise of sensitive patient information.
Additionally, New York Attorney General Letitia James emphasized that US Radiology’s failure to protect patient data and vulnerability to attacks resulted from outdated equipment, urging all companies to prioritize necessary upgrades and security fixes in the face of escalating cyber threats. The breached data, protected under HIPAA, included names, birthdates, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and possibly health insurance ID numbers.
The settlement highlights the need for robust cybersecurity measures in the healthcare sector, and it follows the U.S. Department of Health and Human Services’ Office for Civil Rights’ recent HIPAA enforcement action against Doctor Management Group, which agreed to a $100,000 penalty and three years of compliance monitoring following a 2019 ransomware breach affecting nearly 206,700 individuals.