ACR Bulletin

Covering topics relevant to the practice of radiology

Delving Into Data Breaches

ACR members should conduct a data security audit to stay out of legal trouble.
Jump to Article
Tags
RecommendThanks for recommending this page!

The page you recommended will be added to the "what others are reading" feed on "My ACR".

 BookmarkThanks for bookmarking this page!

The page you bookmarked will be added to the "my reading list" feed on "My ACR".

Reasonable steps will help you stay ahead of the legal curve — and out of the courtroom.

October 26, 2022

A famous commercial memorably closed with “American Express — don’t leave home without it.” That pitch resonates in the cybersecurity space. Why? Patient data are vital to so many individuals, including ACR members. Yet, it has left the digital “home” of too many healthcare stakeholders in 2022. Reports of patient data breaches dominate health news.

Radiology has confronted this challenge, with some practices and related organizations enduring breaches and addressing their legal and reputational impact.1 In this column, we focus on a recent court ruling in a class-action case against a radiology group and radiology services company that involved a breach of patient data. We will analyze the case’s implications for members and their
practices. A main takeaway is to safeguard your patients’ data and prepare for potential government inquiries and private lawsuits.

The case involves Northeast Radiology PC and Alliance HealthCare Services in federal court in New York state.2 Northeast is a radiology practice with locations in New York state and Connecticut. Alliance is an outpatient imaging company that owns and operates more than 80 radiology and oncology centers throughout the United States. Northeast and Alliance formed a partnership in which Northeast’s New York and Connecticut offices joined Alliance’s radiology division and now function as Alliance fixed-site locations.3

An independent cybersecurity analysis in 2019 identified “major flaws” in Northeast’s and Alliance’s PACS that allowed “unauthorized access to more than 1.2 million patients’ medical records.”4 The researchers analyzed 2,300 PACS, including those of Northeast and Alliance.5 This supposed gap involved “at least 61 million X-rays, CT scans, MRIs, and/or other imaging studies that contained extremely sensitive electronic protected health information (e-PHI) — such as medical test results, diagnoses, and procedure descriptions — in addition to patients’ names, Social Security numbers, dates of birth, and addresses.”6

The researchers subsequently informed journalists of their work. A January 2020 article regarding the data breach named Northeast and Alliance and described their deficient security features, including a lack of security encryption or passwords, that apparently exposed the 1.2 million records on the Internet. These reports apparently motivated an earlier class-action lawsuit against
Northeast Radiology in February 2020 in New York federal court. They eventually agreed to dismiss their lawsuit after Northeast contested their allegations.7

In March 2020, Northeast and Alliance notified patients about a significant data breach that had occurred over a period of at least nine months. The companies disclosed they had investigated
the breach and determined that unauthorized individuals had accessed at least 29 patients’ information. But Northeast and Alliance could not pinpoint how many of the “[o]ther patients’ information … also available on the [PACS] was compromised.”8 Government agencies entered the picture because Northeast and Alliance alerted the New York and Connecticut Offices of the Attorney General. The attorneys general from both states then investigated the breach.

An independent cybersecurity analysis in 2019 identified “major flaws” in Northeast’s and Alliance’s PACS that allowed “unauthorized access to more than 1.2 million patients’ medical records.”

Based on these developments, two individuals who had imaging at Northeast between 2016 and 2019 brought a class-action lawsuit against Northeast and Alliance in July 2021. These plaintiffs
alleged that the defendants negligently failed to protect their data and the data of other individuals who had obtained imaging services from the defendants. Notably, the plaintiffs claimed that
the cyber researchers had advised Northeast and Alliance of their discoveries, but the defendants had disregarded the findings. The allegedly deficient PACS posed an “ongoing imminent risk
of identity theft and fraud because, unlike a credit card, there is no way to cancel e-PHI.”9 The plaintiffs asserted that had they realized that defendants failed to use adequate security measures,
they would have gone elsewhere to receive imaging.10 However, the plaintiffs alleged no misuse of patient data.

The trial court granted a motion from Northeast and Alliance to dismiss in May 2022. The court ruled that the plaintiffs failed to prove they had standing, or the right to lodge a complaint. A claim of an injury can win only if plaintiffs establish that they actually were harmed by a defendant’s action. The court relied on a 2021 U.S. Supreme Court decision which held that one must prove that “exposure to the risk of future harm itself causes a separate concrete harm.”11 Here, the plaintiffs failed to show that third parties actually misused or attempted to misuse their health data.12

The court further determined that plaintiffs offered no evidence the data breach was “a targeted attempt to perpetuate identity theft.”13 Consequently, it held that the risk of actual harm was too remote. The plaintiffs initially appealed the ruling but withdrew their appeal in August 2022.

ACR members might believe this case means data breach lawsuits generally will lose. Not necessarily. The radiology practice and its radiologists prevailed. But they still suffered a data breach,
incurred legal fees, and lost time. Additionally, the lawsuit may well raise questions in the minds of current and future patients about the integrity of their data at the radiology practice.

You may be required to report data breaches at your practice to federal and/or state authorities. That may lead to a HIPAA and/or a state investigation under privacy and data security laws. The HIPAA regulators — the Office for Civil Rights — could impose significant fines and force your practice to take remedial actions.

As troubling, class actions have emerged as another threat to members and their practices. Several law firms have sought to capitalize on data breaches by advertising for clients.14

How to act? Retain qualified counsel and IT professionals. Conduct a data security audit to learn where strengths and vulnerabilities exist. You can tailor it to your practice. Reasonable steps will help you stay ahead of the legal curve — and out of the courtroom.

ENDNOTES

  1. The HIPAA Guide, “2 Million-Record Data Breach Reported by Massachusetts Medical Imaging Services Provider,” (June 7, 2022).
  2. Jose Aponte II and Lisa Rosenberg, individually and on behalf of all other persons similarly situated, v. Northeast Radiology, P.C. and Alliance HealthCare Services, Inc.; (Case No. 7:21-cv05883-VB; SDNY, July 8, 2021).
  3. Ibid, at page 7.  In 2021, Akumin, an outpatient radiology platform with over 120 imaging centers in its network, acquired Alliance.
  4. Ibid, at 2.
  5. Ibid, at 1.
  6. Ibid.
  7. Bryan Cohen v. Northeast Radiology, P.C., individually and on behalf of all other persons similarly situated, (Case No. 7:20-cv-01202-VB; SDNY, February 11, 2020).
  8. Ibid, at 3.
  9. Ibid, at 5.
  10. Ibid, at 3.
  11. Opinion and Order, Aponte and Rosenberg, et al. v. Northeast Radiology, P.C. and Alliance HealthCare Services, Inc., at 5.
  12. Ibid.
  13. Ibid.
  14. Jessica Davis, “Attorneys line up to take on healthcare breach lawsuits, amid hopes of substantial payouts,” SC Media (May 4, 2022).

Author Bill Shields, JD, LLM, CAE, general counsel, and Tom Hoffman, JD, CAE, vice president, ACR Legal