The lawyer basic of the state of New York introduced on Wednesday {that a} medical firm has been fined $450,000 over a data breach ensuing from a ransomware assault.
Based on the New York AG’s workplace, US Radiology Specialists, a serious non-public radiology group, was focused in a ransomware assault in December 2021. The incident resulted within the private and well being info of almost 200,000 sufferers, together with 92,000 New Yorkers, getting compromised.
The compromised info included names, dates of start, driver’s license numbers, passport numbers, social security numbers, affected person IDs, medical insurance IDs, and knowledge on medical exams and analysis.
An investigation of the US Radiology breach confirmed that cybercriminals entered the corporate’s community after having access to a SonicWall security equipment utilizing legitimate credentials.
Whereas it couldn’t be confirmed, the attackers might have obtained the credentials by exploiting a SonicWall product vulnerability that had been patched by the seller in early February 2021, after it was noticed being exploited within the wild.
The vulnerability, recognized as CVE-2021-20016, acquired lots of consideration on the time, however the NY AG stated US Radiology had didn’t safe its SonicWall system. The corporate was supposed to interchange outdated SonicWall {hardware} — on which the vulnerability couldn’t be patched — in July 2021, however the course of was delayed as a result of “competing priorities and useful resource restraints”.
The NY AG stated US Radiology has agreed to pay the $450,000 high-quality for its poor cybersecurity practices and its failure to guard affected person knowledge.
Along with the high-quality, the healthcare firm has promised to boost its info security program, create a program for extra effectively changing or updating IT belongings, encrypting affected person info, creating a penetration testing program, and implementing insurance policies and procedures for completely deleting affected person knowledge that’s not wanted.
Over the previous yr, the New York lawyer basic has fined a number of medical and different sorts of organizations over data breaches impacting a big variety of people.
