Radiology Practice Settles with Feds for $350,000 Over HIPAA Violations

A medical imaging firm operating in New York and Connecticut has agreed to a settlement of $350,000 with federal regulators due to potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This enforcement action stems from an investigation into a hacking incident in 2020 that compromised the information of close to 300,000 patients.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that, alongside the monetary settlement, Northeast Radiology, P.C. is required to execute a corrective action plan monitored by HHS for a period of two years. This case marks the sixth enforcement action taken under HHS OCR’s HIPAA risk analysis initiative that commenced last year. Historically, weaknesses in HIPAA security risk analyses have been highlighted in numerous breach investigations and audits conducted by HHS OCR.

“A HIPAA risk analysis is crucial for recognizing where electronic protected health information (ePHI) is stored, as well as the security protocols protecting it,” stated Anthony Archeval, the acting director of HHS OCR. “Neglecting to perform a risk analysis often signals a high likelihood of future HIPAA breaches.”

The investigation into Northeast Radiology was triggered after HHS OCR received a breach report from the firm in March 2020 that indicated the exposure of unprotected ePHI. The report revealed that between April 2019 and January 2020, unauthorized access to radiology images stored on the practice’s picture archiving and communications server occurred.

According to HHS OCR, approximately 298,532 patients’ information was potentially accessible during the breach. The subsequent investigation uncovered that the firm failed to conduct a comprehensive risk analysis to identify and address the vulnerabilities associated with its ePHI systems.

As part of the corrective action plan, Northeast Radiology is now mandated to carry out a complete and accurate HIPAA security risk analysis. This assessment must include a comprehensive inventory of all electronic devices and data systems that contain or process ePHI, alongside their security arrangements. The findings will be submitted to HHS OCR for evaluation.

Ongoing compliance with the requirements laid out in the corrective action plan will be scrutinized by HHS OCR for two years. Additionally, the practice must conduct annual reviews and updates of its risk analysis in response to environmental or operational changes that might affect the security of its ePHI. Furthermore, Northeast Radiology is tasked with developing an enterprise-wide risk management plan to address risks identified within its current risk analysis.

Concerns are arising among experts about HHS OCR’s capacity to enforce compliance with HIPAA settlement agreements, particularly in light of announced staffing reductions and office closures within the department. “Questions linger regarding HHS OCR’s capabilities to monitor compliance effectively,” noted attorney David Holtzman, a former senior adviser at HHS OCR.

As the framework for understanding attack tactics illustrates, initial access to Northeast Radiology’s systems could have involved vulnerabilities that may have been exploited through various methods outlined in the MITRE ATT&CK Matrix, including techniques such as credential dumping and exploitation of application vulnerabilities. The need for robust cybersecurity measures remains clear as organizations like Northeast Radiology navigate the complexities of safeguarding sensitive health information.