PACS vulnerabilities, data breach spur lawsuit against radiology specialists

  • The Danbury, Conn., office of Northeast Radiology. The radiology specialist and its vendor Alliance HealthCare are being sued by patients impacted by its nine-month, PACS-related health care data breach. (Credit: Northeast Radiology)

    Northeast Radiology and its vendor Alliance HealthCare Services are facing a class-action lawsuit, more than a year after reporting a nine-month data breach caused by vulnerabilities in its picture archiving and communication system (PACS).

    The lawsuit was filed in the New York Southern District Court by some of the 298,532 patients impacted by a PACS-related data breach reported in March 2020. The victims allege a host of claims against the specialists that include inadequate security measures and negligence per se.

    The lawsuit follows a recent alert from the Department of Health and Human Services and SC Media reporting that showed more than 130 health systems are actively exposing millions of medical images via PACS and the communication and medical imaging management system known as DICOM, or Digital Imaging and Communications in Medicine.

    PACS are used for archiving and sharing medical images and health information with connected providers and patients. However, the tech holds well-documented vulnerabilities that can enable unauthorized access to sensitive information.

    As Dirk Schrader, global vice president at New Net Technologies, the researcher behind these PACS reports, has stressed, many health systems often bring PACS servers online without ensuring they’re not directly connected to the internet or accessible without authentication.

    The lawsuit details these known security gaps, as well as alleged security failings that led to the breach notice from Northeast Radiology and Alliance Health.

    Beginning in 2019, Schrader shared his research into PACS flaws, which included the two radiology specialists. The research showed Northeast Radiology and Alliance Health were exposing at least 61 million X-rays, CT scans, MRIs, and or medical imaging studies that contained electronic protected health information.

    Schrader notified the specialists of the vulnerabilities and subsequent data leak in December 2019, but the lawsuit claims Northeast Radiology and Alliance did not respond. And despite multiple media reports over the course of the last two years, the PACS vulnerabilities remained intact.

    A previous class-action lawsuit was filed against Northeast Radiology in February 2020, where the specialists repeatedly denied the allegations as based “largely on news accounts” and asserted that a data breach had not occurred.

    Despite denials in court, Northeast Radiology released a breach notice in March 2020 that revealed Alliance Health had indeed already discovered it was exposing medical images. Not only that, but the vendor found hackers had accessed a PACS system that stored ePHI for a period of at least nine months between April 2019 and January 2020.

    The compromised data included Social Security numbers, dates of birth, exam description and identifiers, dates of service, and medical record numbers. Northeast Radiology’s breach notice led to the New York and Connecticut’s attorneys’ general opening investigations into the specialist and Alliance Health.

    “Such careless handling of e-PHI is prohibited by federal and state law. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, like Defendants, and their business associates to safeguard patient e-PHI through a multifaceted approach,” according to the lawsuit.

    The lawsuit argues that by failing to comply with HIPAA and other state laws, Northeast Radiology and Alliance Health caused direct injury to breach victims — including an ongoing, imminent risk of identity theft and fraud, “because, unlike a credit card, there is no way to cancel e-PHI.”

    HHS previously detailed the severe risk posed by stolen ePHI, such as medical identity theft, the weaponization of medical data, financial fraud, and other cybercrimes. The lawsuit addresses the harm caused by the breach, including the ongoing targeting of hospitals and health care entities to obtain ePHI by multiple threat actors.

    Further, the lawsuit asserts that a period of discovery into Northeast Radiology and Alliance HealthCare’s security policies and procedures, communications between the providers, and disclosed vulnerabilities will demonstrate the severity of these claims.

    The lawsuit also asserts the providers failed to provide breach victims with timely notification about the breach and failed to comply with Federal Trade Commission Requirements or to adopt data security measures in accordance with state laws.

    Northeast Radiology and Alliance HealthCare are also accused of violating common law duty of reasonable care in receiving, maintaining, storing, and deleting ePHI held in its possession.

    “As the breach notification states, Alliance HealthCare ‘retained a leading forensic security firm to assist in its investigation and to evaluate systems and processes to further strengthen protections for the PACS’ after the breach occurred,” according to the lawsuit.

    “[The providers] should have taken these steps beforehand to protect the ePHI in their possession and prevent the breach from occurring, as required under HIPAA, FTC guidelines, and DICOM standards, as well as other state and federal law and/or regulations,” it added.

    The breach victims are seeking compensatory and consequential damages incurred by the security incident, along with injunctive relief that includes requiring Northeast Radiology and Alliance HealthCare to strengthen its data security systems and monitoring procedures.

    The lawsuit also asks the court to require the providers to submit to future audits of its systems and provide free credit monitoring and identity theft insurance to all breach victims.

    The court filing is the first tied to PACs vulnerabilities and the latest health care breach lawsuit, an ongoing challenge for the sector. As previously reported, the recent Supreme Court decision for Ramirez vs. TransUnion establishes the definition for concrete and informational harm and places the onus of providing evidence of harm onto breach victims.

    Failure to demonstrate harm has caused many health care data breach lawsuits to be dismissed, as seen with Brandywine Urology Consultants and Universal Health Services in the last year. In contrast, the lawsuit against Northeast Radiology and Alliance Health provides evidence of harms victims may be facing in light of the exposure, which could allow the case to proceed.

    Health care entities should view the lawsuit, the recent HHS alert, and continued PACs reports as an opportunity to review connected device inventories and connections to ensure all ePHI and systems are secured from unauthorized access.