The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a financial penalty to Northeast Radiology, P.C. for a HIPAA violation. This is the 4th financial penalty for HIPAA violation issued by OCR under the Trump administration and the 6th under its risk analysis HIPAA enforcement initiative. The organization managing medical imaging centers in New York and Connecticut decided to pay $350,000 as a financial penalty to resolve the supposed HIPAA violation and undertake a corrective action plan to deal with the problems discovered by OCR’s investigation. The settlement agreement requires OCR to monitor Northeast Radiology for two years to ensure compliance with the corrective action plan.
OCR initiated the investigation after Northeast Radiology reported a network server hacking incident that resulted in a data breach on March 11, 2020. The incident affected the electronic protected health information (ePHI) of 298,532 people. In 2019, security researchers discovered problems in the Picture Archiving and Communication Systems (PACS) that clinics, hospitals, and radiology centers use for sharing medical images. Northeast Radiology, along with its vendor Alliance HealthCare Services, were affected by these problems. The researchers informed the two entities about the vulnerabilities in December 2019.
The vulnerabilities possibly permitted unauthorized individuals to view medical images like X-rays, MRIs, and CT scans, along with the ePHI of patients contained in the PACS. Northeast Radiology investigated and discovered that Alliance HealthCare Services had compromised medical images and ePHI, including names, medical record numbers, test data results, Social Security numbers, and dates of service, and from April 2019 to January 2020, unauthorized individuals got access to its PACS.
Northeast Radiology and Alliance HealthCare Services is facing a class action lawsuit filed in the New York District Court for the Southern District of New York because of the data breach, but it was ignored because of insufficient standing. Although the data breach report submitted to OCR indicated that the data of 298,532 individuals was potentially affected, Northeast Radiology only confirmed access to the data of 29 persons. The two plaintiffs were not included in that group of affected individuals.
OCR’s investigation confirmed that Northeast Radiology did not perform a HIPAA-compliant risk analysis as per HIPAA Security Rule 45 C.F.R. § 164.308(a)(1)(ii)(A). HIPAA-covered entities need to carry out a detailed and correct risk analysis to determine potential threats and vulnerabilities to the integrity, confidentiality, and availability of ePHI. Identified risks are subject to a risk management process and should be minimized to an acceptable and proper level. A HIPAA risk analysis is necessary to decide storage and security measures for electronic protected health information. Acting Director Anthony Archeval of OCR stated that not conducting a risk analysis usually points to a potential HIPAA breach.
The corrective action plan calls for Northeast Radiology to carry out a complete and appropriate risk analysis, create a risk management program to minimize any risks and vulnerabilities discovered through the risk analysis, develop and carry out a process to routinely evaluate logs of activities in IT systems that contain ePHI, create and enforce guidelines and procedures to adhere to the HIPAA Laws, circulate those policies to employees, and update and enhance its HIPAA and security awareness training program for its employees.
