Northeast Radiology, a medical imaging operator based in New York and Connecticut, has recently reached an agreement to pay a substantial fine of $350,000 for a violation of HIPAA regulations. This penalty comes as a result of an investigation conducted by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following a data breach that occurred in 2020. During this breach, the electronic protected health information (ePHI) of 298,532 individuals was compromised due to vulnerabilities within the Picture Archiving and Communication System (PACS) utilized by the company. In addition to the financial penalty, Northeast Radiology is obligated to adhere to a detailed corrective action plan for the next two years to ensure that they are compliant with HIPAA standards moving forward.
The breach initially came to light when Northeast Radiology reported a hacking incident on March 11, 2020, which resulted in the exposure of medical images and various ePHI data such as names, test results, medical record numbers, dates of service, and even Social Security numbers. Interestingly, security researchers had previously warned both Northeast Radiology and their vendor, Alliance HealthcCare Services, about potential vulnerabilities within the PACS system. Despite these warnings, unauthorized parties were able to access sensitive patient data between April 2019 and January 2020.
Although the breach affected a staggering number of over 298,000 individuals, Northeast Radiology clarified that only 29 individuals were directly impacted by the incident. The subsequent investigation conducted by OCR shed light on the fact that Northeast Radiology had failed to perform a comprehensive and HIPAA-compliant risk analysis, which is a crucial requirement outlined in HIPAA’s Security Rule. A thorough risk analysis is essential in identifying and addressing potential vulnerabilities in relation to ePHI, and the absence of such an analysis was deemed a major oversight that ultimately contributed to the breach taking place.
In order to rectify these shortcomings and prevent similar incidents from occurring in the future, Northeast Radiology is now required to execute a thorough risk analysis, devise a comprehensive risk management plan, and enhance their policies and procedures related to the protection of ePHI. Additionally, the company must establish regular reviews of information system activities, update their HIPAA and security training programs, and ensure the efficient dissemination of policies to all employees within the organization.
This settlement serves as a stark reminder to healthcare providers and entities handling sensitive patient data about the critical importance of complying with HIPAA regulations and safeguarding ePHI from potential breaches. By diligently following the corrective action plan and implementing the necessary measures outlined by OCR, Northeast Radiology aims to bolster their data security practices and cultivate a culture of strict compliance within their organization, ultimately prioritizing the protection of patient privacy and confidentiality above all else.