Radiology practice will pay $350,000 for allegedly violating HIPAA Rule prior to cyberattack

A private radiology practice will pay $350,000 to settle allegations it violated the HIPAA Security Rule, Health and Human Services announced Thursday. 

The agreement is with Northeast Radiology, P.C., which provides clinical services and operates five locations across New York state and Connecticut. NERAD experienced a breach of its PACS (picture archiving and communication system) sometime between late 2019 and early 2020, notifying nearly 300,000 individuals about the incident. 

The HHS Office for Civil Rights launched an investigation into the matter in March 2020. It discovered that Northeast Radiology allegedly failed to conduct a thorough risk analysis to determine potential vulnerabilities in its information systems. 

“A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it,” OCR Acting Director Anthony Archeval said in a statement April 10. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”

Under the agreement, Northeast Radiology will implement a “corrective action plan,” to be monitored by the feds for two years. The practice must take steps to improve its compliance with the HIPAA Security Rule. This will include conducting a risk analysis, developing a written process to regularly review records such as audit logs, and augmenting its HIPAA and security training program. The Security Rule establishes standards to help radiology practices preserve the privacy and security of protected health information, officials noted. 

This marks the sixth enforcement action in OCR’s Risk Analysis Initiative, according to the announcement. The agency urged healthcare providers to take steps to mitigate the risk of cyberattacks including implementing regular reviews of IT system activity, encrypting private health information in transit, and providing regular HIPAA training. 

Northeast Radiology did not immediately respond to a request for comment late Thursday. Authorities emphasized that the agreement is not an admission, concession or evidence of liability by NERAD. 

Back in 2020, Northeast Radiology had estimated that unauthorized individuals accessed personal information from 29 patients. However, it notified thousands of others out of an abundance of caution. 

Patients later filed suit against Northeast Radiology and Alliance Healthcare Services in 2021, claiming the two did not do enough to prevent the breach. However, a federal judge tossed the proposed class-action suit in 2022.