HHS recently issued an alert about a known vulnerability allowing access to some picture archiving communications systems (PACS). The vulnerability had been reported two years ago, and again months later, and there had been updated alerts since then. HHS is advising entities to address this as a priority now if they have not done so already.
The executive summary from the alert, which was published June 29, explains:
Picture Archiving Communication Systems (PACS) are widely used by hospitals, research institutions, clinics and small healthcare practices for sharing patient data and medical images. In 2019, researchers disclosed a vulnerability in these systems that demonstrated if the systems were exploited there could potentially be an issue with exposed patient data. These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Healthcare organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.
In related news, two patients have filed a potential class action lawsuit against an entity who had disclosed their breach back in 2020 — Northeast Radiology and its business associate, Alliance Healthcare Services.
Northeast had been specifically mentioned by Zack Whittaker in a January, 2020 report following up on the original vulnerability research. In his report on TechCrunch, Whittaker noted that Northeast had not responded to the researchers’ notification in 2019:
Northeast Radiology, a partner of Alliance Radiology, had the largest cache of exposed medical data in the U.S., according to Greenbone’s data, with more than 61 million images on about 1.2 million patients across its five offices. The server was secured only after TechCrunch followed up a month after Greenbone first warned the organization of the exposure.
Alliance spokesperson Tracy Weise declined to comment.
Northeast was sued shortly thereafter, but the radiology practice claimed that there had been no evidence of any access to its patients’ files. In March, 2020, that changed, and Northeast revealed that Alliance had notified it and that patient records had been accessed, although they had no idea how many may have been accessed altogether.
Now two more patients have filed a new suit. The new complaint is Jose Aponte II and Lisa Rosenberg v. Northeast Radiology P.C. and Alliance Healthcare Services Inc. (Case 1:21-cv-05883 in the Southern District of New York).
It does not appear that either of the two named plaintiffs is claiming that they have been the victim of any fraud or misuse of their information. Their claim seems to be about what might happen imminently. If nothing has happened since 2019 when the data were allegedly accessed, then it seems a bit unconvincing to argue that harm or injury is now “imminent,” but I expect that we’ll see what the court says about Article III standing.