NY AG Hits Radiology Group With $450K Fine in SonicWall Hack

New York state regulators fined one of the nation’s largest physician-owned radiology groups $450,000 in the aftermath of a 2021 ransomware incident that compromised sensitive information of nearly 200,000 patients.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

Under the agreement with the New York attorney general office, Raleigh, North Carolina-based US Radiology Specialists – which provides managed services to its partner radiology practices in 15 states, including Windsong Radiology Group in New York – will take steps to improve its data security practices and network security.

That includes implementing an IT asset management program for identifying, reporting and prioritizing replacement or updates of IT assets; encrypting patient data that is collected, stored and transmitted; maintaining a penetration testing program; and implementing policies and procedures to permanently delete its patients’ personal data when it is no longer needed.

“US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment,” said New York Attorney General Letitia James.

“In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems,” she added.

Breach Details

Settlement documents in the case show the incident involved exploitation of a zero-day vulnerability discovered in late January 2021 that affected the radiology group’s end-of-life SonicWall firewall (see: SonicWall Investigating Zero-Day Attacks Against Its Products).

Although SonicWall released a firmware patch in early February 2021, US Radiology did not apply the fix because it had planned to replace its affected legacy hardware. But the replacement project slated for July 2021 was delayed – and a threat actor was able to gain access to the firewall in December 2021.

During the course of the forensic investigation, cybersecurity experts engaged with the threat actor, who provided evidence of having possession of the exfiltrated data, settlement documents say.

HIPAA-protected health information exposed in the breach included names, birthdates, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and possibly health insurance ID numbers. The incident affected nearly 93,000 New Yorkers.

US Radiology emailed a statement to Information Security Media Group saying that since 2021 it has implemented data security enhancements and continues to improve its technology and processes.

”US Radiology is pleased to resolve this matter and remains committed to protecting patient, provider, and employee data,” the company said.

The settlement between US Radiology and New York over the ransomware breach comes right on the heels of the U.S. Department of Health and Human Services’ Office for Civil Rights last month taking its first HIPAA enforcement in a ransomware incident.

In that settlement, Massachusetts-based Doctor Management Group agreed to a $100,000 financial penalty and three years of HIPAA compliance monitoring following an investigation into a ransomware breach reported in 2019 as affecting nearly 206,700 individuals (see: Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach).