US Radiology Fined $450k by NY Attorney General After Ransomware Attack Caused by Unpatched Bug

    US Radiology, one of the largest private radiology companies in the nation, faces a significant penalty of $450,000 following a ransomware attack in 2021. This attack compromised sensitive information from nearly 200,000 patients. In this article, we delve into the details of the incident, its repercussions, and the broader implications for data security.

    The Ransomware Attack and Vulnerability

    In 2021, US Radiology fell victim to a ransomware attack, exposing the personal data of countless patients. This incident resulted from the company’s failure to address a known security vulnerability announced by SonicWall, a security company, in January 2021. The vulnerability, CVE-2021-20016, was exploited by ransomware groups in various cyberattacks.

    Zero-Day Vulnerability and Delayed Remediation

    The breach occurred because US Radiology could not install a critical firmware patch for the zero-day vulnerability. This was primarily due to the end-of-life status of its SonicWall hardware, which was no longer supported. Although the company had planned to replace this hardware in July 2021, the project faced delays due to competing priorities and resource constraints.

    Impact and Data Breach

    The breach allowed threat actors to gain access to a wide range of sensitive patient information, including names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, health insurance ID numbers, driver’s license numbers, passport numbers, and Social Security numbers.

    Penalties and Compliance Measures

    In addition to the substantial $450,000 penalty, US Radiology must take several corrective actions. These include upgrading its IT network, hiring a dedicated data security manager, encrypting all sensitive patient information, establishing a robust penetration testing program, and implementing policies for the responsible deletion of patient data when retention serves no reasonable business purpose. Moreover, the company must submit compliance reports to the state for two years.

    Broader Implications

    The US Radiology fine is symbolic of a growing trend. Attorney General Letitia James and other authorities increasingly impose penalties on companies that fail to safeguard customer data adequately. This development comes from New York Governor Kathy Hochul’s announcement of changes to state cybersecurity rules. These changes require regulated entities to report ransomware payments and adopt additional measures to enhance customer data security. It reflects a broader movement to hold organizations accountable for protecting consumer data and to bolster cybersecurity efforts across various sectors.

    In conclusion, the US Radiology case serves as a stark reminder of the importance of robust data security practices. The ramifications of data breaches are substantial, and authorities are taking proactive measures to ensure that companies prioritize cybersecurity and protect sensitive customer information.

    Latest articles

    Related articles