US Radiology Specialists has agreed to pay $450,000 in penalties following an investigation by New York Attorney General Letitia James. The penalty stems from the company’s failure to safeguard the personal and health care data of its patients, leaving its network exposed to a known vulnerability that resulted in a ransomware attack affecting over 92,000 New Yorkers.
The investigation revealed that US Radiology neglected to prioritize the upgrade of its hardware, leaving its network susceptible to exploitation. In December 2021, a hacker gained unauthorized access to the company’s network, compromising the personal and health information of 198,260 patients, including data from 92,540 individuals in New York. The stolen information encompassed names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and/or health insurance ID numbers.
Attorney General Letitia James emphasized that the breach underscored the critical need for companies to proactively address vulnerabilities in their computer hardware and systems, particularly in the face of escalating cyber threats and sophisticated scams aimed at pilfering private data.
The investigation concluded that US Radiology Specialists failed to implement reasonable data security practices, particularly in protecting its firewall from a known vulnerability. As part of the settlement, the company has committed to paying $450,000 in penalties to the state of New York. Additionally, US Radiology will undertake comprehensive measures, including updating its IT infrastructure, implementing robust network security measures, and revising its data security policies to prevent future breaches.
