Radiology specialists at Northeast Radiology and its vendor Alliance HealthCare Services have been hit with a class-action lawsuit over a data breach spanning at least nine months and caused by vulnerabilities in its PACS system.
Filed by some of the 298,532 patients claiming to be impacted by the breach, the suit accuses the two unnamed individuals of being responsible for inadequate security measures and negligence per se that led to breach, which was reported in March 2020, according to SC Magazine
“The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, like defendants, and their business associates to safeguard patient e-PHI through a multifaceted approach,” said the plaintiffs in the suit.
Alliance told HCB News that an investigation turned up no evidence to show that any personal information was misused by unauthorized individuals, nor that any instances of fraud or identity theft took place. “Alliance is disappointed that a complaint has been brought forward, and we believe the claims are unfounded. We intend to vigorously defend the company in this matter.”
Dirk Schrader, global vice president at New Net Technology, told Alliance and Northeast Radiology that flaws in its PACS system were exposing at least 61 million X-rays, CT scans, MRs and medical imaging studies containing e-PHI, according to the suit. It claims that Northeast Radiology and Alliance failed to respond, and that despite multiple media reports, the vulnerabilities remained intact.
Northeast says it became aware in January 2020 of the breach and launched an investigation that showed 29 individuals’ information was accessed by unauthorized users. Northeast Radiology informed affected patients in March and others whose information was on the server, to be on the safe side. By then, it said Alliance Health had discovered the cause of the exposure and found that hackers had been accessing a PACS system with stored ePHI for a period of at least nine months between April 2019 and January 2020. Among the potentially compromised data were social security numbers, dates of birth, exam description and identifiers, dates of service and medical record numbers.
The lawsuit accuses Northeast Radiology and Alliance of causing direct injury to breach patients by failing to comply with HIPAA and other states laws, as well as an ongoing risk of identity theft and fraud. This potential harm includes the ongoing targeting of hospitals and healthcare entities to obtain ePHI by multiple threat actors, along with the weaponization of medical data, financial fraud and other cybercrimes.
It also says that the providers failed to notify patients in a timely manner; did not comply with FTC requirements or adopt data security measures in accordance with state laws; and violated common law duty of reasonable care in receiving, maintaining, storing and deleting ePHI held in its possession.
The victims of the breach are calling for a period of discovery into Northeast Radiology and Alliance's security policies and procedures, the disclosed vulnerabilities, and communication between the two to prove the severity of these claims. They are also seeking compensatory and consequential damages incurred by the security incident, along with injunctive relief that would require Northeast Radiology and Alliance to strengthen its data security systems and monitoring procedures.
In addition, the suit asks that the providers be required to submit to future audits of its systems and provide free credit monitoring and identity theft insurance to all breach victims.