DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS warns entities; patients file potential class action lawsuit over PACS breach

Posted on July 12, 2021 by Dissent

HHS recently issued an alert about a known vulnerability allowing access to some picture archiving communications systems (PACS). The vulnerability had been reported two years ago, and again months later, and there had been updated alerts since then.  HHS is advising entities to address this as a priority now if they have not done so already.

The executive summary from the alert, which was published June 29, explains:

Picture Archiving Communication Systems (PACS) are widely used by hospitals, research institutions, clinics and small healthcare practices for sharing patient data and medical images. In 2019, researchers disclosed a vulnerability in these systems that demonstrated if the systems were exploited there could potentially be an issue with exposed patient data. These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Healthcare organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.

In related news, two patients have filed a potential class action lawsuit against an entity who had disclosed their breach back in 2020 —  Northeast Radiology and its business associate, Alliance Healthcare Services.

Northeast had been specifically mentioned by Zack Whittaker in a January, 2020 report following up on the original vulnerability research. In his report on TechCrunch, Whittaker noted that Northeast had not responded to the researchers’ notification in 2019:

Northeast Radiology, a partner of Alliance Radiology, had the largest cache of exposed medical data in the U.S., according to Greenbone’s data, with more than 61 million images on about 1.2 million patients across its five offices. The server was secured only after TechCrunch followed up a month after Greenbone first warned the organization of the exposure.

Alliance spokesperson Tracy Weise declined to comment.

Northeast was sued shortly thereafter, but the radiology practice claimed that there had been no evidence of any access to its patients’ files. In March, 2020, that changed, and Northeast revealed that Alliance had notified it and that patient records had been accessed, although they had no idea how many may have been accessed altogether.

Now two more patients have filed a new suit. The new complaint is Jose Aponte II and Lisa Rosenberg v. Northeast Radiology P.C. and Alliance Healthcare Services Inc. (Case 1:21-cv-05883 in the Southern District of New York).

It does not appear that either of the two named plaintiffs is claiming that they have been the victim of any fraud or misuse of their information. Their claim seems to be about what might happen imminently.  If nothing has happened since 2019 when the data were allegedly accessed, then it seems a bit unconvincing to argue that harm or injury is now “imminent,” but I expect that we’ll see what the court says about Article III standing.

 

Category: ExposureHealth DataU.S.

Post navigation

← Malware abuses OBS live-streaming software to record victims’ screens
China’s Shenzhen City Enacted Regional Data Regulation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.