NY AG imposes $450,000 penalty on US Radiology after unfixed bug leads to ransomware attack


One of the nation’s largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the disclosure of sensitive information on nearly 200,000 patients.

In a settlement announced Wednesday, New York Attorney General Letitia James said US Radiology failed to address a vulnerability announced by security company SonicWall in January 2021.

US Radiology used the company’s firewall to protect its network and provide managed services to several of its partner companies, including Windsong Radiology Group, which has six facilities in Western New York.

The vulnerability highlighted by the Attorney General… CVE-2021-20016 – was used by ransomware gangs in several attacks. US Radiology was unable to install the zero-day firmware patch because its SonicWall hardware was end-of-life and no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed “due to competing priorities and resource constraints.”

The vulnerability was never patched and the company was attacked by an anonymous ransomware gang on December 8, 2021.

“Once the threat actor gained access to the VPN, he used 101 additional credentials to access various network data records over the following week,” New York prosecutors said.

“Although a subsequent forensic investigation could not definitively determine how the threat actor initially obtained the credentials to access the SonicWall VPN, the vulnerability identified by the NCC Group in January 2021 would have may have allowed the malicious actor to capture the stored username, password, and other session information. on the SonicWall server through a process called SQL injection.

An investigation determined that the hacker was able to access files containing names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or the health insurance identification numbers of 198,260 patients.

The data exposed in the incident also included the driver’s license numbers, passport numbers and Social Security numbers of 82,478 New Yorkers.

“When patients visit a medical facility, they have the right to know that their personal information will not be compromised while they receive care. » said Attorney General James.

“US Radiology failed to protect New Yorkers’ data and was vulnerable to attacks due to its outdated equipment. With cyberattacks on the rise and more sophisticated scams aimed at stealing private data, I urge all businesses to make necessary upgrades and security patches to their IT hardware and systems.

In addition to the $450,000 penalty, the company will have to upgrade its computer network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program .

The company will have to delete patient data “when there is no reasonable business purpose for retaining it” and submit compliance reports to the state for two years.

James used his position to impose heavy sanctions on several companies accused of failing to protect customer data before the cyberattacks.

Last month, it forced Long Island health care company Personal Touch to pay a $350,000 fine for failing to secure the data of 300,000 New Yorkers. In September, James used a regulation to force a local college to invest $3.5 million in cybersecurity after a 2021 data breach leaked tons of sensitive information on nearly 200,000 people.

James and other attorneys general joined forces to fine companies like a software company Noirbaudclothing giant Shein, Carnival cruisesthe grocery chain Wegmanand more.

The fine imposed on American radiologists comes just days after that of New York Governor Kathy Hochul. changes announced to set out cybersecurity rules that require regulated entities to report ransomware payments and take other steps to secure customer data.

“The new rules build on our risk-based approach to integrating cybersecurity with improved governance, more robust access controls and assessments, updated reporting rules, including for ransomware, and staff training requirements. These regulations raise the bar for cyber resilience,” said New York State Cybersecurity Chief Colin Ahern.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment