Northeast Radiology to pay $350K to resolve data breach

Imaging services provider Northeast Radiology has agreed to pay the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) $350,000 and comply with a corrective action plan (CAP) to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The settlement marks OCR's sixth enforcement action in its "Risk Analysis Initiative," the HHS said in an April 10 update specific to the Northeast Radiology breach of unsecured electronic protected health information (ePHI) that the company reported in March 2020.

Northeast Radiology provides clinical services at medical imaging centers in New York and Connecticut. The company reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on its PACS server, the HHS explained. About the breach, the company notified 298,532 patients whose information was potentially accessible on the PACS server.

The OCR’s investigation found that the company had failed to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to ePHI in its information systems, the HHS explained. The agreement was not an admission, concession, or evidence of liability by Northeast Radiology, according to the settlement.

According to the HHS, corrective actions required include a thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; developing and implementing a risk management plan; implementing a process to review records of information system activity review; and other steps. The company will also be monitored for compliance for two years.

The OCR recommended that healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure that audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.