NY AG Secures $450K From US Radiology Over Data Security Failures

November 13, 2023 - New York Attorney General Letitia James announced a $450,000 settlement with US Radiology Specialists over alleged health data security failures that resulted in a ransomware attack. The Attorney General’s investigation revealed that US Radiology had not prioritized updating its hardware, leaving its network exposed to a known vulnerability.

The company, a large private radiology group that provides managed services to partner companies, suffered a ransomware attack and breach in December 2021 that impacted more than 198,000 individuals.

The impacted information included patient names, Social Security numbers, diagnoses, health insurance ID numbers, passport numbers, patient IDs, driver’s license numbers, provider names, and dates of service.

As a result of the investigation, US Radiology agreed to pay $450,000 in penalties to New York and update its IT infrastructure and data security policies.

Specifically, US Radiology agreed to encrypt the patient information that it collects and stores, develop a testing program to remediate security vulnerabilities, and implement procedures that permanently delete patient data when there is no longer a business reason to maintain it.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care. US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment,” James stated.

“In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

James’ office has announced multiple settlements In the past few months surrounding data breach investigations. For example, in October, James announced a $350,000 settlement with Personal Touch Holding Corporation, a Long Island-based home healthcare company. Personal Touch suffered a ransomware attack in January 2021. The settlement resolved allegations of data security failures that resulted in the attack and violated state law and HIPAA in the process.

Also in October, a multistate coalition that included James secured $49.5 million from cloud company Blackbaud over a massive 2020 data breach. These settlements show that data breaches and data security failures are a focus area not just for the federal government, but at the state level as well.