November 9, 2023 at 11:49AM
US Radiology Specialists, a major private radiology group, has been fined $450,000 by the attorney general of New York over a data breach caused by a ransomware attack. The breach compromised the personal and health information of nearly 200,000 patients, including 92,000 New Yorkers. The attackers gained access to the company’s network through a SonicWall security appliance using valid credentials, potentially exploiting a patched vulnerability. US Radiology has agreed to pay the fine and implement cybersecurity measures. The New York attorney general has fined multiple organizations for data breaches in the past year.
Key Takeaways from the Meeting Notes:
1. US Radiology Specialists, a major private radiology group, has been fined $450,000 by the New York attorney general’s office following a data breach resulting from a ransomware attack.
2. The attack occurred in December 2021 and exposed the personal and health information of nearly 200,000 patients, including 92,000 New Yorkers.
3. The compromised information included sensitive data such as names, dates of birth, driver’s license numbers, passport numbers, social security numbers, patient IDs, health insurance IDs, and medical exam and diagnosis details.
4. The cybercriminals gained access to US Radiology’s network by exploiting a vulnerability in a SonicWall security appliance and using valid credentials.
5. The vulnerability (CVE-2021-20016) had been patched by the vendor in February 2021, but US Radiology had failed to secure its SonicWall system.
6. The company was supposed to replace outdated SonicWall hardware in July 2021, but the process was delayed.
7. US Radiology has accepted the $450,000 fine for its inadequate cybersecurity measures and failure to protect patient data.
8. As part of the resolution, US Radiology has committed to improving its information security program, implementing a more efficient process for replacing or updating IT assets, encrypting patient information, developing a penetration testing program, and establishing procedures for permanently deleting unnecessary patient data.
9. The New York attorney general has previously fined other organizations for significant data breaches.
– Blackbaud, a nonprofit service provider, settled a data breach case for $49.5 million with states.
– Equifax was fined $13.5 million for its 2017 data breach.
– TikTok received a $368 million fine under Europe’s strict data privacy rules.