DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS warns entities; patients file potential class action lawsuit over PACS breach

Posted on July 12, 2021 by Dissent

HHS recently issued an alert about a known vulnerability allowing access to some picture archiving communications systems (PACS). The vulnerability had been reported two years ago, and again months later, and there had been updated alerts since then.  HHS is advising entities to address this as a priority now if they have not done so already.

The executive summary from the alert, which was published June 29, explains:

Picture Archiving Communication Systems (PACS) are widely used by hospitals, research institutions, clinics and small healthcare practices for sharing patient data and medical images. In 2019, researchers disclosed a vulnerability in these systems that demonstrated if the systems were exploited there could potentially be an issue with exposed patient data. These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Healthcare organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.

In related news, two patients have filed a potential class action lawsuit against an entity who had disclosed their breach back in 2020 —  Northeast Radiology and its business associate, Alliance Healthcare Services.

Northeast had been specifically mentioned by Zack Whittaker in a January, 2020 report following up on the original vulnerability research. In his report on TechCrunch, Whittaker noted that Northeast had not responded to the researchers’ notification in 2019:

Northeast Radiology, a partner of Alliance Radiology, had the largest cache of exposed medical data in the U.S., according to Greenbone’s data, with more than 61 million images on about 1.2 million patients across its five offices. The server was secured only after TechCrunch followed up a month after Greenbone first warned the organization of the exposure.

Alliance spokesperson Tracy Weise declined to comment.

Northeast was sued shortly thereafter, but the radiology practice claimed that there had been no evidence of any access to its patients’ files. In March, 2020, that changed, and Northeast revealed that Alliance had notified it and that patient records had been accessed, although they had no idea how many may have been accessed altogether.

Now two more patients have filed a new suit. The new complaint is Jose Aponte II and Lisa Rosenberg v. Northeast Radiology P.C. and Alliance Healthcare Services Inc. (Case 1:21-cv-05883 in the Southern District of New York).

It does not appear that either of the two named plaintiffs is claiming that they have been the victim of any fraud or misuse of their information. Their claim seems to be about what might happen imminently.  If nothing has happened since 2019 when the data were allegedly accessed, then it seems a bit unconvincing to argue that harm or injury is now “imminent,” but I expect that we’ll see what the court says about Article III standing.

 

Category: ExposureHealth DataU.S.

Post navigation

← Malware abuses OBS live-streaming software to record victims’ screens
China’s Shenzhen City Enacted Regional Data Regulation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.