DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James Secures $450,000 from US Radiology Specialists for failing to protect patient data

Posted on November 8, 2023 by Dissent

The following press release from the NYS Attorney General’s Office relates to an incident previously noted on DataBreaches.net. The Assurance of Discontinuance provides details on the breach not previously known to this site and serves as a reminder of the need to timely update and patch.

NEW YORK – New York Attorney General Letitia James today secured $450,000 from US Radiology Specialists, Inc. (US Radiology) for failing to protect its patients’ personal and health care data. US Radiology partners with and acts as a service provider for facilities throughout the country, including the Windsong Radiology Group, which has six offices across Western New York. An investigation by the Office of the Attorney General (OAG) found that US Radiology did not prioritize upgrading its hardware, which left its network exposed to a known vulnerability, leading to a ransomware attack that affected more than 92,000 New Yorkers. As a result of today’s agreement, US Radiology has agreed to pay $450,000 in penalties to New York, update its IT infrastructure, properly secure its networks, and update its data security policies.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

US Radiology is a large private radiology group that provides managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York. US Radiology failed to quickly update its firewall to protect itself and its partner companies’ networks from cyber threats. In December 2021, a threat actor gained access to US Radiology’s network and stole the personal and health information of 198,260 patients, including the data of 92,540 New Yorkers. The stolen information included names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and/or health insurance ID numbers.

The OAG’s investigation concluded that US Radiology had failed to adopt reasonable data security practices to protect patients’ personal information by failing to protect its firewall from a known vulnerability.

As part of today’s agreement, US Radiology has agreed to pay $450,000 in penalties and adopt additional data security practices to strengthen its network, including:

  • Enhancing and maintaining its existing written information security program that ensures the security, integrity, and confidentiality of patients’ personal information;
  • Creating and implementing an IT asset management program for identifying, reporting, and prioritizing replacement or updates of IT assets;
  • Encrypting patients’ personal information that it collects, stores, transmits, and/or maintains;
  • Developing and maintaining a penetration testing program that regularly identifies and remediates any and all security vulnerabilities found during testing; and
  • Implementing policies and procedures that seek to permanently delete their patients’ personal data when there is no reasonable business purpose to retain it.

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Earlier that month, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers.

This matter was handled by Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.

Source:  NYS Attorney General Letitia James

us-radiology-aod

Related posts:

  • Attorney General James Secures $975,000 from Auto Insurance Company over Data Breach
  • Attorney General James Reaches Agreement with Marymount Manhattan College to Invest $3.5 Million to Protect Students’ Online Data
  • Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information
  • Attorney General James Reaches Agreement with Refuah Health Center to Invest $1.2 Million to Protect Patient Data and Pay $450,000 in Penalties to State
Category: Commentaries and AnalysesHackHealth DataOf NoteU.S.

Post navigation

← Hopewell Area School District is yet another victim in the education sector
Southwestern Ontario hospitals will rebuild network from scratch amid fallout from cyberattack; more data leaked →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.