A radiology firm and its vendor are facing a class-action lawsuit filed with the New York Southern District Court. Allegedly, the radiology professionals have failed to protect their Picture Archiving Communication System (PACS) that has protected health information (PHI) and medical photos of patients.
In 2019, security researchers discovered vulnerabilities in the PACS utilized by clinics, hospitals, and radiology firms for sharing medical photos and information. The researchers analyzed over 2,300 medical photos, which were discovered to hold sensitive patient information. In December 2019, the researchers sent a notification about the exposed information to the affected companies including Northeast Radiology and Alliance Health, its vendor.
The two radiology companies utilized medical imaging archiving software programs that allowed unauthorized persons to obtain access to medical pictures and PHI. The researchers discovered 61 million exposed X-rays, MRIs and CT scans, which contained PHI such as names, medical record numbers, dates of service, test results, and, in certain cases, Social Security numbers.
In March 2020, Northeast Radiology submitted a data breach report associated with PACS to the Department of Health and Human Services Office for Civil Rights as impacting 298,532 persons. According to the breach report, Alliance Health had compromised medical photos and that hackers accessed its PACS from April 2019 to January 2020.
Two patients filed a lawsuit against Northeast Radiology and Alliance HealthCare for allegedly exposing patient information for over 9 months. Based on the legal action, the two companies were informed regarding the exposed information by the security researchers yet did not do anything to protect their PACS.
The lawsuit claims the defendants as negligent and committed a violation of the Health Insurance Portability and Accountability Act (HIPAA) and state data protection regulations by being careless in managing patient information and medical photos, and additionally breached the Federal Trade Commission (FTC) prerequisites. Because of the violations, the plaintiffs and class members were claimed to have suffered a direct injury and placed at a greater risk of identity theft and fraud. Besides the exposure of their PHI, the lawsuit claims inadequate notification was given to victims of the security breach.
The patients want compensatory and consequential damages as well as injunctive relief, such as necessitating the firms to enhance their data security and monitoring and subjecting to system audits in the future to make sure they are secured. The lawsuit likewise wants to provide all class members credit monitoring and identity theft protection services.
At the end of June, the U.S. Department of Health and Human Services cautioned 130 hospitals and health systems regarding the vulnerabilities in PACS that breached sensitive healthcare information and advised them to take immediate action to make certain their PACS are properly set up and patient information are protected. The PACS utilized by those hospitals held 275 million medical photos, including the PHI of over 2 million individuals.