DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS Office for Civil Rights Settles HIPAA Security Rule Investigation; Northeast Radiology agrees to corrective action plan and $350,000 monetary penalty

Posted on April 10, 2025 by Dissent

Over the past few years, DataBreaches has reported on a breach involving Northeast Radiology and its business associate, Alliance Healthcare Services. In March 2020, Northeast Radiology revealed its patient data was involved in a breach Alliance notified them about in January, 2020. TechCrunch had contacted Northeast Radiology about its unpatched PACS servers in 2019, but had gotten no reply. In 2020, TechCrunch reported:

Northeast Radiology, a partner of Alliance Radiology, had the largest cache of exposed medical data in the U.S., according to Greenbone’s data, with more than 61 million images on about 1.2 million patients across its five offices. The server was secured only after TechCrunch followed up a month after Greenbone first warned the organization of the exposure.

Alliance spokesperson Tracy Weise declined to comment.

Now we learn that HHS OCR had opened its own investigation and has settled charges against Northeast Radiology, P.C. (NERAD):

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

[…]

OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

Under the terms of the resolution agreement, NERAD agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

[…]

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf, opens in a new tab [PDF, 369 KB]

Category: HackHealth Data

Post navigation

← Major data breach affects multiple Dutch ministries, impact still unclear
Physicians’ billing and revenue management firm hit by LockBit →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Major trial underway for data leak that left 72,000 victims in France
  • Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • HealthEC Agrees to $5.48 Million Settlement to End Data Breach Lawsuit
  • US offering $10 million for info on Iranian hackers behind IOControl malware
  • Sompo Japan Insurance submits improvement plan after info leakage
  • Moreno Valley, Calif., Schools Report Data Breach
  • The Growing Cyber Risks from AI — and How Organizations Can Fight Back
  • Credit Control Corporation data allegedly from 9.1 million consumers listed for sale on forum
  • Copilot AI Bug Could Leak Sensitive Data via Email Prompts
  • FTC Provides Guidance on Updated Safeguards Rule

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets
  • States sue to block the sale of genetic data collected by DNA testing company 23andMe

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.