A $450,000 settlement has been agreed between New York Attorney General Letitia James and US Radiology Specialists to resolve alleged data security failures that allowed a ransomware gang to access its network and steal the sensitive information of more than 198,000 individuals. US Radiology Specialists is a private radiology group that provides managed services for its partner companies, such as the Windsong Radiology Group, which operates six facilities in Western New York. In December 2021, a ransomware group exploited a known, unaddressed vulnerability to gain access to its systems, then exfiltrated data and encrypted files.
Patches were made available by SonicWall to fix the vulnerability and had been available for several months before the attack; however, US Radiology Specialists used hardware that was approaching end-of-life, and SonicWall did not release patches that could be applied to the hardware. To address the vulnerability, the SonicWall hardware needed to be upgraded. The vulnerability was identified in January 2021, US Radiology Specialists scheduled the hardware upgrade for July 2021, then delayed the upgrade due to competing priorities and resource constraints. The ransomware group was able to exploit the vulnerability and stole sensitive patient data, including names, diagnoses, health insurance ID numbers, Social Security numbers, Patient IDs, driver’s license numbers, provider names, and dates of service.
The investigation conducted by the Office of the New York Attorney General determined that the failure to remediate a vulnerability known to have been exploited by ransomware groups by prioritizing hardware upgrades violated New York’s data security laws. US Radiology Specialists chose to settle the investigation and agreed to pay $450,000 in penalties and upgrade its IT infrastructure and data security policies and practices.
The cybersecurity requirements of the settlement include enhancing its written information security program, creating and implementing an IT asset management program for identifying, reporting, and prioritizing replacement or updates of IT assets, encrypting patient data on its network, developing and maintaining a penetration testing program, ensuring any vulnerabilities found during testing are remediated promptly, and implementing policies and procedures to ensure that patients’ personal data are deleted when there is no longer a reasonable business purpose for retaining the data.
“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”
The New York Attorney General has taken a hard line on healthcare organizations that have been discovered to have violated the HIPAA Security Rule and state data security laws in recent months. In October, a $350,000 settlement was agreed with the Long Island healthcare company Personal Touch to resolve allegations of data security failures which contributed to a 300,000-record data breach, and New York participated in a multi-state investigation of Blackbaud that resulted in a $49.5 million settlement. A $550,000 settlement was also agreed with an Erie County Medical Management Company in May to resolve alleged data security and HIPAA compliance failures.