(WNY News Now) – New York Attorney General Letitia James has successfully negotiated a $450,000 settlement with US Radiology Specialists, Inc. over a data breach affecting more than 92,000 New Yorkers. The agreement follows an investigation revealing the company’s failure to safeguard patient data, resulting in a ransomware attack.
New York – In a significant development, New York Attorney General Letitia James has secured a $450,000 settlement from US Radiology Specialists, Inc. (US Radiology) for its negligence in protecting the personal and health care data of patients. The investigation, conducted by the Office of the Attorney General (OAG), revealed that the radiology group’s outdated hardware left its network vulnerable to a ransomware attack, impacting over 92,000 New Yorkers.
US Radiology, a major private radiology group providing services to partner companies like Windsong Radiology Group, failed to prioritize upgrading its hardware, leading to a known vulnerability that threat actors exploited. The ransomware attack, which occurred in December 2021, exposed the personal and health information of 198,260 patients, with 92,540 of them being residents of New York. The compromised data included sensitive information such as names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers.
Attorney General James emphasized the importance of companies proactively upgrading their IT infrastructure and implementing robust security measures in the face of increasing cyber threats. She stated, “When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”
As part of the settlement agreement, US Radiology has agreed to pay $450,000 in penalties to the state of New York. Additionally, the company commits to updating its IT infrastructure, securing its networks, and revising its data security policies to prevent future breaches.
The OAG’s investigation concluded that US Radiology had failed to adopt reasonable data security practices, specifically in protecting its firewall from a known vulnerability. The radiology group has agreed to implement several measures to strengthen its network security:
- Enhancing and maintaining its existing written information security program.
- Creating and implementing an IT asset management program for identifying, reporting, and prioritizing replacement or updates of IT assets.
- Encrypting patients’ personal information during collection, storage, transmission, and maintenance.
- Developing and maintaining a penetration testing program to identify and remediate security vulnerabilities regularly.
- Implementing policies and procedures to permanently delete patients’ personal data when there is no reasonable business purpose to retain it.
Attorney General James has been actively pursuing actions to safeguard New Yorkers’ personal information and hold companies accountable for poor data security practices. This settlement with US Radiology follows recent successes, including a $350,000 settlement with Personal Touch, a Long Island health care company, and a $49.5 million settlement with Blackbaud, a cloud company, for a 2020 data breach. Other notable cases include an agreement with Marymount Manhattan College to invest $3.5 million in protecting students’ online data and a $550,000 settlement with a medical management company for failing to protect patient data.
The Attorney General’s commitment to data security is further evidenced by the release of a comprehensive data security guide for companies in April. In October 2022, she announced a $1.9 million agreement with the owner of SHEIN and Zoetop for mishandling a data breach that compromised the personal information of millions of consumers.
Leave a Reply