Consulting Radiologists in Edina, Minnesota, notified 512,000 patients of a cyberattack exposing personal and medical data.
Consulting Radiologists (CRL), a radiology services company in Edina, Minnesota, experienced a cyberattack in February 2024, affecting nearly 512,000 patients. The company provides teleradiology services to over 100 healthcare facilities in Minnesota. Suspicious activity was detected on February 12, 2024, prompting immediate action to secure systems and a third-party cybersecurity investigation, which confirmed unauthorized access to a server containing patient data.
After a thorough investigation, Consulting Radiologists confirmed on April 17, 2024, that the exposed data included names, addresses, dates of birth, medical information, and health insurance information. A smaller subset of patients also had their Social Security numbers, driver’s license numbers, and/or face sheets and imaging reports exposed.
The company has implemented additional monitoring tools to mitigate future risks and is exploring further security measures. Although no misuse of data has been detected, affected individuals have been offered a year of complimentary credit monitoring and related services.
The breach, impacting 511,947 individuals including 47 from Maine, has been reported to the Maine Attorney General.
Learn more: How to notify affected individuals of a breach
When the unauthorized access was detected, an investigation was launched immediately. "As a result of the investigation, CRL learned that an unauthorized actor accessed certain files and data stored within our network. Upon learning this, CRL began a time-consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to understand whose information was affected," says CRL.
While the hackers managed to obtain access to patient information, CRL stated in their NOTICE OF DATA PRIVACY EVENT that they have no indication of any unauthorized use by a third party.
See also: HIPAA Compliant Email: The Definitive Guide
To ensure the protection of sensitive healthcare information, HIPAA sets forth specific regulations that must be followed by healthcare providers and their business partners when dealing with data breaches affecting over 500 individuals. These measures include notifying affected persons as well as media outlets, informing HHS's Secretary regarding any breach incidents, and notifying relevant business associates involved in processing such patient health information. Covered entities must document all breach notifications and maintain records for six years. Mitigation and corrective actions must be taken, such as providing credit monitoring services and enhancing security measures. Non-compliance with HIPAA requirements may result in significant fines and corrective action plans. The HHS Office for Civil Rights may conduct compliance reviews and investigate breaches.
Go deeper: What are the HIPAA breach notification requirements
During the period spanning from 2021 to 2023, instances of data breaches increased by a significant margin of 72%, with 733 recorded occurrences in 2023. Of these, healthcare providers contributed to 62.3% of them. These statistics indicate the lack of implementation of cybersecurity measures, which is affecting the privacy and security of patient information.
The breach affecting CRL is one of a large magnitude and may be followed by consequences such as:
Learn more: Tips for cybersecurity in healthcare
Regularly reviewing access and usage logs, conducting audits of PHI handling practices, and using security tools like SIEM systems, DLP solutions, and IDPS can help detect unusual activities and potential intrusions.
Go deeper: Understanding and managing a HIPAA breach
Organizations can implement strong cybersecurity measures, such as encryption, firewalls, regular security audits, employee training, access controls, and incident response plans. Keeping software and systems updated can also prevent data breaches.
Related: Preventing the spread of cybersecurity attacks in healthcare