"Medical Company Fined $450,000 by New York AG Over Data Breach"

The attorney general of the state of New York recently announced that a medical company has been fined $450,000 over a data breach resulting from a ransomware attack.  According to the New York AG's office, US Radiology Specialists, a major private radiology group, was targeted in a ransomware attack in December 2021.  The incident resulted in the personal and health information of nearly 200,000 patients, including 92,000 New Yorkers, getting compromised.  The compromised information included names, dates of birth, driver's license numbers, passport numbers, social security numbers, patient IDs, health insurance IDs, and information on medical exams and diagnosis.  The cybercriminals entered the company's network after gaining access to a SonicWall security appliance using valid credentials.  While it could not be confirmed, the attackers may have obtained the credentials by exploiting a SonicWall product vulnerability that had been patched by the vendor in early February 2021 after it was spotted being exploited in the wild.  The vulnerability, identified as CVE-2021-20016, got a lot of attention at the time, but the NY AG said US Radiology had failed to secure its SonicWall system.  The NY AG noted that the company was supposed to replace outdated SonicWall hardware, on which the vulnerability could not be patched, in July 2021, but the process was delayed due to "competing priorities and resource restraints." The NY AG said US Radiology has agreed to pay the $450,000 fine for its poor cybersecurity practices and its failure to protect patient data.  In addition to the fine, the healthcare company has promised to enhance its information security program, create a program for more efficiently replacing or updating IT assets, encrypting patient information, developing a penetration testing program, and implementing policies and procedures for permanently deleting patient data that is no longer needed.

 

SecurityWeek reports: "Medical Company Fined $450,000 by New York AG Over Data Breach"

Submitted by Adam Ekwall on