Breach Notification , Cybercrime , Fraud Management & Cybercrime

Radiology Practice Hack Affects Sensitive Data of 512,000

A Minnesota-based specialty radiology practice is notifying more than 500,000 individuals that their sensitive information was accessed and potentially acquired by hackers earlier this year.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The incident is one of several major health data breaches radiologists reported to regulators in recent months as affecting hundreds of thousands of patients.

Eden Prairie, Minnesota-based Consulting Radiologists Ltd. in a report to Maine's attorney general on June 14 said nearly 512,000 individuals, including 47 Maine residents, were affected by its recent "external system" hacking breach.

CRL, a physician-owned practice providing teleradiology-based interpretation services for over 100 healthcare facilities in Minnesota and surrounding areas, said it discovered the incident when the practice detected unusual activity in its network environment on Feb. 12.

CRL said it promptly took steps to secure its network and engaged a specialized cybersecurity firm to investigate the nature and scope of the incident.

"As a result of the investigation, CRL learned that an unauthorized actor accessed certain files and data stored within our network. Upon learning this, CRL began a time-consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to understand whose information was affected."

On April 17, CRL identified the individuals whose data was affected in the incident. Information that was "potentially accessed or acquired" includes name, birthdate, address, health insurance information and medical information.

Small subsets of patients also had their Social Security number or driver's license number affected, and another small subset included face sheets and imaging reports, CRL said. The type of information compromised varies among individuals, CRL said.

"At this time, we have no evidence any of the information has been misused by a third party," the practice said in a breach notice posted on its website. CRL is offering 12 months of complimentary identity and credit monitoring to affected individuals.

To help prevent future similar incidents, CRL said it has deployed additional monitoring tools and will continue to enhance the security of its systems.

An attorney representing CRL in its notification to Maine's attorney general did not immediately respond to Information Security Media Group's request for additional details about the breach, including whether the incident involved ransomware or extortion demands.

The CRL incident is the latest large hacking breach reported by radiology practices to regulators so far this year.

As of Wednesday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool shows the largest of such radiology breaches so far in 2024 is a hacking incident involving data exfiltration reported by North Carolina-based Eastern Radiologists Inc. on Feb. 29 as affecting nearly 887,000 individuals.

Washington state-based Yakima Valley Radiology reported to HHS' Office for Civil Rights on March 1 a hacking incident affecting more than 235,000 individuals.

To date, the largest hack on a medical imaging provider was reported to HHS OCR in 2022 by Massachusetts-based Shields Health Care Group as affecting more than 2 million patients (see: Hack on Medical Imaging Provider Affects Data of 2 Million).

Shields faces a consolidation of seven proposed class action lawsuits in a Massachusetts federal court in relation to that incident.

Contributing Factors

Experts cite a variety of reasons why radiology practices and medical imaging centers are prime targets for cybercriminals.

"Healthcare is known to have looser security than other regulated industries such a banking. And within this sector, outpatient clinics are perceived to have even weaker security in place than health plans and larger facilities," said Kate Borten, president of privacy and security firm The Marblehead Group.

"Radiology may stand out because these sites have all the usual health information, plus high volumes of images," she said. "Although the main goal for attackers is usually quick, easy money, creative bad guys could use the images for more nefarious purposes, such as patient blackmail and fraudulent billing," she said.

Medical imaging and other radiology centers are an attractive target for hackers for other reasons too, said Tom Walsh, president of privacy and security consultancy tw-Security.

"There is no easy way to encrypt images. Radiology images usually have limited patient identifiers included with the image such as patient name, medical record number, age, sex, etc.," he said.

"There have been cases where a 'good' image is sold on the black market to help people who need a 'good' image for certain purposes," he said. That includes passing a physical exam that includes medical images in order to qualify for a job or to apply for a visa to work or live in another country, he said.

"Desperate people will pay to cheat the system. It’s supply and demand," he said.

While encryption for images may not be feasible, other compensating controls should be put into place, such as multifactor authentication to gain access to a picture archiving and communications system or a radiology information system, "where the dictated reports are stored and have the most confidential information," Walsh said.

"Radiology is one of the busiest departments in a hospital. Sometimes compromises in security are made to accommodate the busy radiologist and make the jobs easier," he said. "But what is convenient for the users is sometimes convenient for the attacker."

Besides the serious data privacy and security concerns involving radiology breaches, patient safety is another top worry in such attacks, Borten said.

"An attack on the network could lead to device tampering, potentially affecting some or all results," Borten said.

"This would be truly evil since unless caught, it could directly affect patient care," she said. "Fear of such an outcome could prompt an organization to pay a heavy ransom."