Radiology IT Vendor Hack Hits 4 Practices, 411,000 People – Source: www.databreachtoday.com

Breach Notification
,
Healthcare
,
HIPAA/HITECH

Tennessee-Based Specialty Networks Incident Is Latest Attack on Business Associates

Marianne Kolbasuk McGee (HealthInfoSec) •
September 3, 2024    

A vendor that provides information systems and transcription services to radiology practices is alerting 411,037 people of a hack discovered last December involving the theft of sensitive data. The firm already faces at least four proposed federal class action lawsuits related to the hack.

See Also: Live Webinar | Building a More Resilient Healthcare Enterprise and Ecosystem

The breach, reported to federal regulators Aug. 15 by Chattanooga, Tennessee-based Specialty Networks, is the latest in a series of hacks of HIPAA-regulated business associates. Specialty Networks in a breach statement said the incident also affected several clients including Prime Imaging; Diagnostic Radiology Consultants, P.A.; Allied Mobile; and Videre Diagnostics.

Specialty Networks said it spotted unusual activity in its network on Dec. 18, 2023, and immediately took steps to secure the network and engage a digital forensics and incident response firm to conduct an investigation.

The investigation revealed that a week before the discovery, around Dec. 11, a threat actor acquired some data stored within Specialty Networks’ systems.

Specialty Networks then undertook a comprehensive review of the potentially affected data and on May 31 determined that some personal and protected health information may have been affected.

Specialty Networks said it then notified the affected healthcare providers and around June 24 coordinated its notification efforts with them and verified the information and mailing addresses for people affected by the breach.

Information potentially compromised in the incident includes name, birthdate, driver’s license number, Social Security number, medical record number, treatment and condition information, diagnoses, medications and health insurance information.

The company is offering 12 months of complementary identity and credit monitoring to those affected.

Specialty Networks said it reported the incident to the FBI and has taken “additional steps to prevent a similar event from occurring in the future.”

In the last two weeks, at least four proposed class action lawsuits have been filed against Specialty Networks in a federal Tennessee court.

The lawsuits all make similar allegations, including that Specialty Networks was negligent in failing to safeguard the sensitive information of patients, including data pertaining to minors, putting them at risk for identity theft and fraud crimes.

The lawsuits all seek similar relief, including financial damages and court orders for Specialty Networks to improve its data security practices.

Specialty Networks did not immediately respond to Information Security Media Group’s request for comment on the lawsuits and for additional details about the hack, including the type of cyberattack.

The
complaint filed on Aug. 20 by Daniel Smith, a lead plaintiff in one of the lawsuits filed against Specialty Networks, indicates he was a patient of Chattanooga, Tennessee-based medical imaging services provider Prime Imaging.

Prime Imaging did not immediately respond to ISMG’s request for comment on the incident. A staff member of Prime Imaging told ISMG that Specialty Networks “runs” its IT systems.

Specialty Networks said in its breach statement that in addition to radiology information systems and transcription services, it provides enterprise practice management solutions to medical facilities.

As of Tuesday, the Specialty Networks hack ranks among the 25 largest health data breaches reported so far this year to the U.S. Department of Health and Human Services. The 471 major breaches reported so far to HHS’ Office of Civil Rights this year affected more than 54.1 million individuals.

Of those, 159 breaches – including the Specialty Networks hack – were linked to business associates, according to HHS OCR’s HIPAA Breach Reporting Tool website. Those business associate breaches affected nearly 22.8 million individuals.