DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates

Posted on June 21, 2014 by Dissent

Usually when I see an envelope from NRAD Medical Associates, P.C. in my mail, it concerns a radiology bill or insurance matter following services there. But today, I opened the envelope to find a breach notification.

Their notification, signed by their president, vice-president, and secretary-treasuresr, begins with the now somewhat pro forma statement about how they are seriously committed to the privacy and security of their patients’ information, which is why they want us to know of a security concern. Of course, at least part of the reason they are letting us know is because under HITECH, they have to. In any event, let’s get to the guts of their notification:

On or about April 24, 2014, it was discovered that an employee radiologist accessed and acquired protected health information from NRAD’s billing systems without authorization. This included some personal information, including patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes.

They do not indicate when the breach occurred or how it was discovered.

NRAD states that they have

no evidence that the information has been disclosed to or used by any third parties and have no evidence that your credit card, banking or other financial information was accessed. We believe there to be low risk to this incident, but any risk is unacceptable.

In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports.

They also established a toll-free number, and posted a copy of the notification and an FAQ on their web site.

In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.

A call to their hotline requesting a police report number and asking how the breach was discovered required the hotline representative to forward my inquiry to others, who have yet to return my call after a few hours, so it is not clear whether they even reported this matter to the police.  If they do return the call, I’ll also inquire as to when the breach occurred, and will update this post.

In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why). I asked the hotline representative whether there were 800,000 patients’ information in their billing system and she said there was.  I hope the hotline representative was wrong about that.

NRAD did not offer affected patients any free credit monitoring services. Given the types of personal information acquired, their failure to offer some free services is somewhat surprising and may come back to bite them in the way of lawsuits from unhappy patients who may now be worried about identity theft. Credit monitoring wouldn’t prevent medical identity theft, of course, and the notification letter does not suggest patients check their explanation of benefits statements from their insurers, so I’ll suggest it.

As a patient of NRAD, I have always been very happy with their medical services, and after a decade or more of reporting on breaches, I realize that pretty much any covered entity can experience a breach. But I also have enough experience to recognize when an apology, however sincere, and “we’ve  implemented enhanced security measures” are not enough in the way of mitigation. NRAD can and should do better.

NOTE: updates to this post will appear on the mirrored post on DataBreaches.net. The breach is starting to get local media attention, as I’ve been contacted by both NBC and ABC today.

Category: Uncategorized

Post navigation

← Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates – Update 4
Laptop stolen from Colorado Neurodiagnostics contained PHI →

2 thoughts on “Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates”

  1. Anonymous says:
    June 26, 2014 at 12:56 am

    Several years ago, the company I worked for was informed that our Oxford Insurance along with Oxford members throughout Long Island had their personal data stolen. Oxford gave every member affected (which numbered in the thousands) a year of free online security, which to this day I have kept on my own, as it has proven to be an extremely valuable tool to protect my credit, especially from identity theft. With the breach at NRAD, maybe they should have been a little more proactive and saved the apology.

    1. Anonymous says:
      June 26, 2014 at 7:16 am

      I don’t recall any breach involving Oxford Insurance from a few years ago. Would you be kind enough to email me at admin[at]phiprivacy[dot]net with some details on what happened back then?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.