by John R. Fischer
, Senior Reporter | May 25, 2022
A federal judge has dismissed a lawsuit against Northeast Radiology and its vendor Alliance Healthcare Services in regard to a nine-month data breach of their PACS system that plaintiffs say posed direct harm to them and other patients.
Comprising four locations, Northeast Radiology is corporately managed by Alliance HealthCare Services, which is now part of Akumin, and has a PACS system that stores over 1.2 million patient records belonging to 298,532 patients. Vulnerabilities within it enabled unauthorized third-party users to hack the system between 2019 and 2020, according to SC Media
Law 360 reported
that only 29 patients were affected.
Filing their suit last July in the U.S. Southern District New York court, plaintiffs Jose Aponte II and Lisa Rosenberg said that both Northeast Radiology and Alliance Health were “careless” in protecting their information and that their actions violated federal and state law and failed to comply with the Health Insurance Portability and Accountability Act.
They alleged that this negligence created direct harm to patients by putting them at risk for ongoing identity theft and fraud. “Unlike a credit card, there is no way to cancel e-PHI,” said the victims in their suit.
But Judge Vincent Briccetti dismissed their claims on May 16 on the basis of a 2021 Supreme court ruling and said that the patients failed to show evidence of the direct harm they claimed to be at risk of now or in the future.
He said that Northeast Radiology did not allow “unauthorized access” by third parties that "intruded upon their seclusion” and that since there was no evidence of misuse, the allegations that the hackers intentionally hacked into their system to commit identify theft were highly unlikely. “Even if plaintiffs lost some measure of privacy and that privacy was part of the bargain for medical services, [they] haven’t alleged any concrete harm from the alleged data breach. If plaintiff[s] bargained for data security, and no third party has misused [their] data, then plaintiffs have received exactly what [they] paid for.”
Alliance notified patients in March 2020 of the hacking. Among the information exposed were names, dates of birth, exam descriptions, dates of service, medical images and details and corresponding social security numbers. The Department of Health and Human Services issued an alert to 130 health systems, warning them that the compromised system risked exposing images to unauthorized parties.
The dismissal could be used as an example to model deliberations on future healthcare data breach lawsuits, according to SC Media.