Northeast Radiology, P.C. and Alliance HealthCare Services, Inc. have been hit with a proposed class action that claims the healthcare providers have failed to protect patients’ sensitive personal and medical information from unauthorized access.
According to the lawsuit, independent cybersecurity research firm Greenbone Networks uncovered in mid-2019 “major flaws” in the defendants’ medical archiving system that exposed 1.2 million patients’ medical records to the general public. The case claims that the defendants’ inadequate security systems and failure to respond to Greenbone’s findings allowed unauthorized parties to access patient information, including names, Social Security numbers, dates of birth, addresses, x-rays, CT scans, MRIs, medical test results, diagnoses and procedure descriptions, for “at least nine months between April 14, 2019 and January 7, 2020.”
Per the suit, the “careless handling” of patients’ protected health information by Northeast Radiology and parent company Alliance is a violation of state and federal laws, and “directly resulted” in injury, including an “ongoing imminent risk of identity theft and fraud,” to those affected.
Northeast Radiology, through a partnership with Alliance, offers screening and diagnostic imaging services at four locations in New York and Connecticut, the case relays. According to the suit, the defendants use a picture archiving and communication system (PACS) to store medical images and related patient information that can be accessed through the Internet to allow patients and referring physicians to review the data. The lawsuit alleges, however, that the defendants have failed to follow industry standards as far as the security of their PACS “and simply connected their network and servers to the public Internet without utilizing passwords, firewalls, or VPNs to protect patients’ data.”
The case relays that Greenbone Networks, between July and September 2019, conducted an analysis of 2,300 PACS, including that of the defendants, and found that Northeast Radiology and Alliance’s system permitted unauthorized access to millions of patients’ medical records. Though the Greenbone team notified the defendants “as early as December 2019” of their findings, the healthcare companies “ignored them,” the suit alleges.
According to the complaint, the results of Greenbone’s investigation were published in a January 2020 TechCrunch article, after which a class action was filed against the defendants in February 2020 over their apparent failure to secure patients’ data. Nevertheless, Northeast Radiology and Alliance denied that a data breach had occurred and instead “attempted to discredit the complaint’s allegations” as based “largely on news accounts,” the suit says.
It wasn’t until March 2020 that the defendants admitted to the Connecticut Office of the Attorney General that Alliance had been made aware of the data breach and discovered in January 2020 that sensitive information had been accessed, the lawsuit relays. Per the case, a press release issued on March 11 “was the first time Defendants publicly disclosed” that unauthorized individuals had gained access to the healthcare providers’ PACS and compromised the sensitive information of at least 29 individuals, though the scope of the breach was not fully determined.
Per the suit, the defendants’ database, described by Greenbone as “the largest cache of unsecured medical data in the U.S.,” was unencrypted and accessible “without a password through the public internet using publicly available, free tools.” Greenbone, the case says, estimated that the value of the data “would exceed $1 billion on the ‘dark web’,” and that the damages resulting from the “potential risk for medical identity theft” would amount to roughly $3.3 billion.