The U.S. Department of Health and Human Services has cited security risk analysis failures in a hacking incident that affected nearly 300,000 individuals. Northeast Radiology, P.C., a medical imaging practice with offices in New York and Connecticut, has agreed to pay $350,000 to settle potential HIPAA violations uncovered during the investigation into the 2020 breach.
In addition to the financial settlement, Northeast Radiology has agreed to implement a corrective action plan that will be monitored by the federal agency for two years. This settlement marks the sixth enforcement action by HHS OCR under the HIPAA risk analysis enforcement initiative launched last year. The lack of a proper risk analysis has been a recurring issue in many HIPAA breach investigations and audits conducted by HHS OCR.
Anthony Archeval, the acting director of HHS OCR, emphasized the importance of conducting a thorough risk analysis to identify and protect electronic protected health information. Failure to do so often leads to future HIPAA breaches, as was the case with Northeast Radiology’s compromised radiology images stored on their picture archiving server.
The breach, which occurred between April 2019 and January 2020, exposed the information of 298,532 patients. The investigation revealed that Northeast Radiology had failed to conduct an accurate and thorough risk analysis to assess the vulnerabilities in their information systems.
As part of the corrective action plan, Northeast Radiology will conduct a comprehensive HIPAA security risk analysis, develop an enterprise-wide risk management plan, and regularly update their risk analysis in response to changes affecting the security of electronic protected health information. HHS OCR will review and monitor the implementation of these measures for the next two years.
Experts have raised concerns about HHS OCR’s ability to effectively monitor compliance with HIPAA settlement agreements following the restructuring and downsizing initiatives announced by HHS Secretary Robert Kennedy Jr. The closure of regional offices and reduction in workforce may impact the agency’s ability to enforce HIPAA regulations effectively.
Despite these challenges, HHS OCR remains committed to upholding HIPAA standards and ensuring that healthcare organizations take the necessary steps to safeguard patient information. The settlement with Northeast Radiology serves as a reminder of the importance of conducting regular risk analyses and implementing robust security measures to prevent data breaches and protect patient privacy.