A Minnesota-based radiology service recently released a notice to impacted patients about a cyberattack.
Consulting Radiologists LTD, an Eden Prairie, Minnesota-based radiology services company, recently faced a large data breach.
The company has served the Midwest region for over 90 years, providing teleradiology-based interpretation services for 100 healthcare facilities and on-site radiology services at 22 partner hospitals.
On June 20th, the company reported they had faced a data breach based on a February 12th incident.
According to their online notice, Consulting Radiologists detected suspicious activity on its network environment on February 12th, 2024. The company said that once the incident was discovered it “promptly took steps to secure its network and engaged a specialized cybersecurity firm to investigate the nature and scope of the incident.”
The investigation confirmed that an unauthorized user accessed some files and data in the company’s network. Consulting Radiologists said it engaged in a “time-consuming and detailed reconstruction and review of the data stored on the server at the time of the incident to understand whose information was affected.”
By April 17th, Consulting Radiologists had identified the individuals who were impacted.
They determined that the following information was involved: names, dates of birth, addresses, health insurance information, and medical information. For some, Social Security numbers or driver’s license numbers were also impacted.
Consulting Radiologists said it is now “reviewing and enhancing its existing policies and procedures related to data privacy to reduce the likelihood of a similar future event.” For those who they have the address for, they are in the process of mailing notices. For individuals who had their Social Security number stolen, the organization is offering free credit monitoring.
It’s common for healthcare organizations to partner with outside specialists in a variety of ways. Often, administrative duties become outsourced, but it’s also common for lab testing, teleconsultations, and more to be given to outside parties. In today’s world, outsourcing can allow companies to specialize and provide the highest quality service possible in their specialization.
Yet with the rise of outsourcing and third parties, there are also increasing risks. Protected Health Information (PHI) is often shared with these organizations, but it can be difficult for hospitals to know how secure the other party is. If a third party is breached, it can impact patients who may not have even known that their data was provided to an outside organization. For patients, the breach can come as a concerning surprise. For hospitals and providers, it can be a confusing and challenging issue to navigate.
Breaches like these are becoming increasingly common, with the largest example coming from Change Healthcare. Hundreds of hospitals utilized Change for administrative tasks, namely assisting with insurance claims and billing. Although the company was trusted with massive amounts of data, investigations revealed that it hadn’t followed certain cybersecurity norms, like utilizing multifactor identity authentication.
When a third party is impacted, it can have a triple-down effect that also makes it more difficult to resolve; hospitals can be left in limbo, uncertain of how the breach occurred or who was impacted. Meanwhile, the third party may struggle with sending individualized breach notifications to large numbers of patients.
Ultimately, hospitals should be increasingly conscientious of the third parties they choose to work with. Instead of solely considering how the third party can aid the hospital, hospitals need to consider how the outside organization can potentially harm patients.
As a third party, Consulting Radiologists is at the heart of other impacted hospitals. For instance, Allina Health, a Minneapolis-based nonprofit health system, has begun alerting patients who were impacted by the breach.
For impacted individuals, every breach matters. Between 2022 and 2023, data breaches increased by 128% in the healthcare industry. In some cases, individuals may only have certain pieces of information stolen–like names, dates of birth, or addresses. Often, this information alone isn’t enough to cause concern. Still, when that information is aggregated with other stolen data, it becomes easier for a criminal to commit fraud. With rising attacks, some patients will likely be the victim of multiple breaches, making it all the more likely to become a victim of fraudulent activity.
Patients aren’t the only ones who face challenging implications. Lawsuits are becoming increasingly prevalent, and it looks like Consulting Radiologists will face similar repercussions.
Currently, at least one class action lawsuit is being formed against the organization, alleging that Consulting Radiologists may have been negligent in protecting data.
Outside of lawsuits, healthcare organizations can face fines or penalties if they are found negligent. They may also face fees or expenses related to the investigation, changes to their security tools or protocols, and more.
Network attacks like the one faced by Consulting Radiologists can be devastating for patients, hospitals, and third parties alike, but they are preventable.
Right now, many organizations struggle to keep up with evolving attack strategies, best practices, and the countless guides designed to make data safer. For some, it feels like a never-ending race.
Yet data security is more important now than ever. On average, breaches in the healthcare sector cost $10.93 million. For any practice, it can have a huge financial impact, but especially for smaller practices that may struggle with maintaining strong security infrastructure.
But cybersecurity isn’t a lost cause–Cloudticity was specifically created to help healthcare organizations uphold the highest level of security without jeopardizing patient care.
We’ve been a leader in managed security for healthcare for over a decade. Despite evolving treads and growing threat actors, we’ve never suffered a data breach. Through the best services and tools alongside a proven security tech stack, we offer the highest level of security in the field.
By outsourcing your cybersecurity needs, you can better focus on serving patients and providing care.
Learn more about how Cloudticity’s Managed Security for Healthcare can help you address cybersecurity needs. Reach out today for a free consultation.