WGVA 106.3FM 1240AMMix 98.5101.7 The WallWFLR Finger Lakes Country Classic Hits 99.3The Lake 100.1/104.5 WAUB 96.3FM 1590AM

AG Secures $450K for WNY Medical Company Breach

SHARE NOW

New York Attorney General Letitia James has secured $450,000 from US Radiology Specialists, Inc. (US Radiology) for failing to protect its patients’ personal and health care data. US Radiology partners with and acts as a service provider for facilities throughout the country, including the Windsong Radiology Group, which has six offices across Western New York. An investigation by the Office of the Attorney General (OAG) found that US Radiology did not prioritize upgrading its hardware, which left its network exposed to a known vulnerability, leading to a ransomware attack that affected more than 92,000 New Yorkers. As a result of the agreement, US Radiology has agreed to pay $450,000 in penalties to New York, update its IT infrastructure, properly secure its networks, and update its data security policies.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

US Radiology is a large private radiology group that provides managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York. US Radiology failed to quickly update its firewall to protect itself and its partner companies’ networks from cyber threats. In December 2021, a threat actor gained access to US Radiology’s network and stole the personal and health information of 198,260 patients, including the data of 92,540 New Yorkers. The stolen information included names, dates of birth, social security numbers, driver’s license numbers, passport numbers, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and/or health insurance ID numbers.

The OAG’s investigation concluded that US Radiology had failed to adopt reasonable data security practices to protect patients’ personal information by failing to protect its firewall from a known vulnerability.

As part of the agreement, US Radiology has agreed to pay $450,000 in penalties and adopt additional data security practices to strengthen its network, including:

  • Enhancing and maintaining its existing written information security program that ensures the security, integrity, and confidentiality of patients’ personal information;
  • Creating and implementing an IT asset management program for identifying, reporting, and prioritizing replacement or updates of IT assets;
  • Encrypting patients’ personal information that it collects, stores, transmits, and/or maintains;
  • Developing and maintaining a penetration testing program that regularly identifies and remediates any and all security vulnerabilities found during testing; and
  • Implementing policies and procedures that seek to permanently delete their patients’ personal data when there is no reasonable business purpose to retain it.

 

Get the top stories on your radio 24/7 on Finger Lakes News Radio 96.3 and 1590, WAUB and 106.3 and 1240, WGVA, and on Finger Lakes Country, 96.1/96.9/101.9/1570 WFLR.