Minnesota suffers cyberattack impacting 512,000 patients

Consulting Radiologists in Edina, Minnesota, notified 512,000 patients of a cyberattack exposing personal and medical data. 

What happened?

Consulting Radiologists (CRL), a radiology services company in Edina, Minnesota, experienced a cyberattack in February 2024, affecting nearly 512,000 patients. The company provides teleradiology services to over 100 healthcare facilities in Minnesota. Suspicious activity was detected on February 12, 2024, prompting immediate action to secure systems and a third-party cybersecurity investigation, which confirmed unauthorized access to a server containing patient data.

After a thorough investigation, Consulting Radiologists confirmed on April 17, 2024, that the exposed data included names, addresses, dates of birth, medical information, and health insurance information. A smaller subset of patients also had their Social Security numbers, driver’s license numbers, and/or face sheets and imaging reports exposed.

The company has implemented additional monitoring tools to mitigate future risks and is exploring further security measures. Although no misuse of data has been detected, affected individuals have been offered a year of complimentary credit monitoring and related services. 

The breach, impacting 511,947 individuals including 47 from Maine, has been reported to the Maine Attorney General.

Learn more: How to notify affected individuals of a breach

What was said?

When the unauthorized access was detected, an investigation was launched immediately. "As a result of the investigation, CRL learned that an unauthorized actor accessed certain files and data stored within our network. Upon learning this, CRL began a time-consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to understand whose information was affected," says CRL.

While the hackers managed to obtain access to patient information, CRL stated in their NOTICE OF DATA PRIVACY EVENT that they have no indication of any unauthorized use by a third party.

See also: HIPAA Compliant Email: The Definitive Guide

In the know

To ensure the protection of sensitive healthcare information, HIPAA sets forth specific regulations that must be followed by healthcare providers and their business partners when dealing with data breaches affecting over 500 individuals. These measures include notifying affected persons as well as media outlets, informing HHS's Secretary regarding any breach incidents, and notifying relevant business associates involved in processing such patient health information. Covered entities must document all breach notifications and maintain records for six years. Mitigation and corrective actions must be taken, such as providing credit monitoring services and enhancing security measures. Non-compliance with HIPAA requirements may result in significant fines and corrective action plans. The HHS Office for Civil Rights may conduct compliance reviews and investigate breaches.

Go deeper: What are the HIPAA breach notification requirements

Why it matters 

During the period spanning from 2021 to 2023, instances of data breaches increased by a significant margin of 72%, with 733 recorded occurrences in 2023. Of these, healthcare providers contributed to 62.3% of them. These statistics indicate the lack of implementation of cybersecurity measures, which is affecting the privacy and security of patient information.

The breach affecting CRL is one of a large magnitude and may be followed by consequences such as: 

• Identity theft and fraud: Cybercriminals can use personal information like Social Security and driver's license numbers for identity theft and fraud, leading to unauthorized financial transactions and the creation of fake identities. The complementary services of single bureau credit monitoring, credit report, and credit score may help reduce this issue.
• Medical identity theft: The compromised medical information can be used by criminals to obtain medical services or medications fraudulently. This can lead to incorrect medical records and potential harm to patients' health.
• Privacy violations: The exposure of sensitive personal and medical information violates patient privacy and can cause distress and anxiety for the affected individuals.
• Reputational damage: CRL may already be facing reputational damage and lack of trust from patients.
• Regulatory consequences: The company may face regulatory scrutiny and potential penalties from authorities for failing to protect patient data adequately.

Learn more: Tips for cybersecurity in healthcare

FAQs

How can potential HIPAA breaches be monitored?

Regularly reviewing access and usage logs, conducting audits of PHI handling practices, and using security tools like SIEM systems, DLP solutions, and IDPS can help detect unusual activities and potential intrusions.

Go deeper: Understanding and managing a HIPAA breach

What best practices can organizations follow to prevent data breaches?

Organizations can implement strong cybersecurity measures, such as encryption, firewalls, regular security audits, employee training, access controls, and incident response plans. Keeping software and systems updated can also prevent data breaches.

Related: Preventing the spread of cybersecurity attacks in healthcare