DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates

Posted on June 21, 2014 by Dissent

Usually when I see an envelope from NRAD Medical Associates, P.C. in my mail, it concerns a radiology bill or insurance matter following services there. But today, I opened the envelope to find a breach notification.

Their notification, signed by their president, vice-president, and secretary-treasuresr, begins with the now somewhat pro forma statement about how they are seriously committed to the privacy and security of their patients’ information, which is why they want us to know of a security concern. Of course, at least part of the reason they are letting us know is because under HITECH, they have to. In any event, let’s get to the guts of their notification:

On or about April 24, 2014, it was discovered that an employee radiologist accessed and acquired protected health information from NRAD’s billing systems without authorization. This included some personal information, including patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes.

They do not indicate when the breach occurred or how it was discovered.

NRAD states that they have

no evidence that the information has been disclosed to or used by any third parties and have no evidence that your credit card, banking or other financial information was accessed. We believe there to be low risk to this incident, but any risk is unacceptable.

In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports.

They also established a toll-free number, and posted a copy of the notification and an FAQ on their web site.

In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.

A call to their hotline requesting a police report number and asking how the breach was discovered required the hotline representative to forward my inquiry to others, who have yet to return my call after a few hours, so it is not clear whether they even reported this matter to the police.  If they do return the call, I’ll also inquire as to when the breach occurred, and will update this post.

In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why). I asked the hotline representative whether there were 800,000 patients’ information in their billing system and she said there was.  I hope the hotline representative was wrong about that.

NRAD did not offer affected patients any free credit monitoring services. Given the types of personal information acquired, their failure to offer some free services is somewhat surprising and may come back to bite them in the way of lawsuits from unhappy patients who may now be worried about identity theft. Credit monitoring wouldn’t prevent medical identity theft, of course, and the notification letter does not suggest patients check their explanation of benefits statements from their insurers, so I’ll suggest it.

As a patient of NRAD, I have always been very happy with their medical services, and after a decade or more of reporting on breaches, I realize that pretty much any covered entity can experience a breach. But I also have enough experience to recognize when an apology, however sincere, and “we’ve  implemented enhanced security measures” are not enough in the way of mitigation. NRAD can and should do better.

NOTE: updates to this post will appear on the mirrored post on DataBreaches.net. The breach is starting to get local media attention, as I’ve been contacted by both NBC and ABC today.

Category: Uncategorized

Post navigation

← Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates – Update 4
Laptop stolen from Colorado Neurodiagnostics contained PHI →

2 thoughts on “Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates”

  1. Anonymous says:
    June 26, 2014 at 12:56 am

    Several years ago, the company I worked for was informed that our Oxford Insurance along with Oxford members throughout Long Island had their personal data stolen. Oxford gave every member affected (which numbered in the thousands) a year of free online security, which to this day I have kept on my own, as it has proven to be an extremely valuable tool to protect my credit, especially from identity theft. With the breach at NRAD, maybe they should have been a little more proactive and saved the apology.

    1. Anonymous says:
      June 26, 2014 at 7:16 am

      I don’t recall any breach involving Oxford Insurance from a few years ago. Would you be kind enough to email me at admin[at]phiprivacy[dot]net with some details on what happened back then?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.