by John R. Fischer
, Senior Reporter | November 15, 2023
For failing to fix a vulnerability that led to over 198,000 patients’ personal and health data being stolen in a ransomware attack, US Radiology Specialists has agreed to pay $450,000 to New York State.
The private radiology group provides financial and operational support to physician-owned practices and diagnostic imaging centers, including Windsong Radiology Group, a business based in Buffalo and with six offices in Western New York. In December 2021, a threat actor bypassed US Radiology Specialists’ network and stole information belonging to 198,260 patients, including 92,540 New Yorkers.
Through an investigation, New York Attorney General Letitia James’ office found that the company was aware of but failed to update a firewall vulnerability, allowing the attackers to steal names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers.
KA Imaging’s Reveal 35C detector, currently available as an upgrade solution in the US and selected geographies, can now be sold in the European Union. The detector recently obtained the CE Mark. Contact us at firstname.lastname@example.org to book a free demo.
“US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems,” said Attorney General James in a statement.
In addition to its payment, US Radiology Specialists will update its IT infrastructure, properly secure its networks, and adopt new data security policies to better protect patient information, including:
– Enhancing and maintaining its existing written information security program
– Creating and implementing an IT asset management program to oversee replacements and updates
– Encrypting personal information that it collects, stores, transmits, and maintains
– Developing and maintaining a penetration testing program for regularly identifying and remediating all security vulnerabilities found during testing
– Implementing policies and procedures outlining circumstances for permanently deleting patients’ personal data when there is no reasonable business purpose to retain it
A US Radiology Specialists spokesperson told HCB News that the company previously notified individuals and regulators, including the New York attorney general, about the incident.
“Since learning of the incident in 2021, US Radiology has implemented additional data security enhancements and continues to improve our technology and processes to protect IT infrastructure … US Radiology is pleased to resolve this matter and remains committed to protecting patient, provider, and employee data,” he said.
US Radiology Services provides services in 15 states to its partner practices, including Windsong Radiology Group.