New York’s Attorney General has fined US Radiology Specialists $450,000 for failing to update its IT systems—a move that could have prevented a 2021 ransomware attack.
Letitia James on Wednesday specifically cited practice affiliate Windsong Radiology Group, which has six offices across western New York. An investigation by the AG found that USRS “did not prioritize upgrading its hardware,” leaving its network vulnerable to hackers and eventually resulting in a cyberattack that impacted more than 92,000 New Yorkers.
Along with paying the penalty, Raleigh, North Carolina-based US Radiology Specialists also has agreed to fortify its information technology infrastructure, properly secure networks and update related internal policies.
“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” James said in a Nov. 8 announcement of the settlement. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment.”
In a statement, a spokesperson said USRS notified individuals and regulators including the attorney general about the IT incident. Since learning of the breach in 2021, the radiology group has implemented “additional data security enhancements” and continues to improve its processes and related technology.
“As part of the regulatory response to the 2021 incident, US Radiology has entered into a voluntary settlement agreement with the New York attorney general,” the spokesperson told Radiology Business Thursday. “US Radiology is pleased to resolve this matter and remains committed to protecting patient, provider and employee data.”
Attorney General James contended that USRS “failed to quickly update its firewall to protect itself and its partner companies’ networks from cyberthreats.” Stemming from this alleged oversight, a “threat actor” gained access to its network and stole personal health information from a total of 198,260 patients across the U.S. Compromised information included patient and provider names, dates of birth, social security, driver’s license and passport numbers, patient IDs, types of radiology exams, diagnoses and health insurance info.
Patients filed a class-action lawsuit against US Radiology Specialists in October 2022 over the data breach, also citing impacted affiliates in North Carolina, Arizona and Texas. At the time, plaintiffs charged that USRS failed in its responsibility to secure and protect this sensitive patient information.
USRS reportedly used cybersecurity technology from vendor SonicWall. Ransomware gangs also targeted the same vulnerability in other attacks, Recorded Future News noted Nov. 8. The radiology provider was unable to install a firmware patch because its SonicWall hardware was at the end of its useful life and no longer supported. IT leaders had planned to replace the system in July 2021 but the project was delayed “due to competing priorities and resource restraints,” the report noted.
Backed by private equity firm Welsh, Carson, Anderson & Stowe, USRS bills itself as one of the country’s “premier physician-owned radiology groups.” It employs nearly 5,000 team members and operates 180-plus outpatient imaging centers across 14 states, with its team conducting almost 8 million studies annually.
Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic.