Hackers Hit Medical Imaging Services Centers in NY, Texas

A New York medical imaging services provider is notifying nearly 606,000 individuals that their information was potentially accessed and copied in a recent hacking incident. The entity is one of several medical imaging centers that have reported major hacking breaches in recent weeks and months.

See Also: OnDemand | Cutting Through the Hype: What Software Companies Really Need from ASPM

East River Medical Imaging, which has three locations in Manhattan and one in Westchester County, said the incident may have affected both patients and employees.

ERMI said that on Sept. 20 it had identified suspicious activity within its IT network. “We immediately initiated our incident response process, began an investigation with the assistance of a cybersecurity firm and notified law enforcement,” ERMI said.

The practice’s investigation determined that an unauthorized party had accessed its network and, between Aug. 31 and Sept. 20, 2023, viewed and copied some documents on its system.

The entity reported the incident to the U.S. Department of Health and Human Services on Nov. 22 as a hacking incident involving a network server affecting 605,809 individuals. It is unclear whether that figure includes employees as well as patients.

EMRI did not immediately respond to Information Security Media Group’s request for additional details about the incident.

ERMI’s report to HHS’ Office for Civil Rights about the incident is similar to a breach report filed on Nov. 3 by South Austin Health Imaging, which does business as Longhorn Imaging Center. The Texas-based medical imaging provider told regulators its hacking incident had also involved a network server – plus “other” IT – and affected about 100,643 individuals.

Longhorn Imaging does not have a public breach notice about the incident posted on its website. The entity did not immediately respond to ISMG’s request for a copy of its breach notice and for details about the incident.

The HHS OCR and Maine attorney general breach reporting websites show about a half dozen major breaches reported so far in 2023 by medical imaging providers. The largest of those is the ERMI breach.

In 2022, Shields Health Care Group, a Massachusetts-based medical imaging services provider, informed regulators of a hacking incident affecting 2 million individuals – the fourth-largest health data breach recorded by HHS OCR this year.

Medical imaging providers are attractive targets for cybercriminals, some expert said. “In addition to the data carried with medical imaging, the images themselves are evidence of a medical condition, and knowledge of those conditions can facilitate fraud – calling a patient and referring to the condition to extort or redirect payment,” said Mike Hamilton, CISO and co-founder of security firm Critical Insight.

“Further, the records certainly qualify as privacy information, and threatening the victim organization with releasing the records to cause a class action suit is becoming a common practice,” he added.

Specialty Targets

The recent attacks on the New York and Texas medical imaging services providers are also among the major hacking incidents reported in recent weeks involving various other kinds of specialty healthcare providers.

Seattle-based surgical group Proliance Surgeons recently began notifying nearly 437,400 individuals that their information potentially had been compromised in a ransomware and data theft incident earlier this year (see: Surgical Practice Notifying 437,400 Patients of Data Theft).

“Digital transformation across the sector, including and perhaps especially among specialty providers, has dramatically increased the attack surface,” said Scott Small, director of cyber threat intelligence at security firm Tidal Cyber.

The rise in internet-connected and digital healthcare technology provides more opportunities for identity- and vulnerability-based attacks that have been hallmarks of ransomware and extortion operations in recent years, he said.

Often specialty healthcare providers “appear to be in denial, convincing themselves that they are too small or not well known enough to be a target,” said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.

“That is naive thinking that has resulted in significant losses for many who engage in it,” he said. “The reality is that in many cases they are easier targets and quicker paydays for cybercriminals due to their immature cybersecurity programs relative to the volume of records they maintain or ransoms they are willing to pay when taken offline.”

Healthcare organizations, including specialty providers, should remain aware of the very concrete threat these groups pose to their operations and data, Small said.

Entities should prioritize implementation and review of specific security measures, including asset inventory, vulnerability patch management and credential-related controls and defenses, including wide multifactor authentication, he said.