US Radiology Faces Class Action Lawsuit after Data Breach

 

proposed class action suit has been filed against US Radiology Specialists (USRS) over a data breach occurring in December 2021.

Plaintiffs Ariann J-Hanna and Nicole Pyle, residents of Tucson, AZ, claimed “individually and on behalf of all other similarly situated” that USRS did not fulfill their responsibility to keep secure and protect sensitive patient information.

Information accessed through ClassAction.org reveals that their suit contends that an authorized party, with criminal intent, gained access to the US Radiology data network from December 17 to 24 of last year and may have obtained patients’ protected data, potentially including:

 

• First and last names
• Social Security numbers
• Drivers’ license numbers
• Dates of birth
• Health insurance information
• Medical treatment information
• Patient account numbers
• Physicians’ names
• Dates of service
• Diagnoses

 

The plaintiff’s lawsuit charges that US Radiology Specialists, although aware of the threat of data breaches, failed to take adequate precautions to secure sensitive patient data.

“Had Defendant remedied the deficiencies in its security systems, followed industry

guidelines, and adopted security measures recommended by experts

in the field, Defendant would have prevented the ransomware attack into its

systems and, ultimately, the theft of its patients’ Private Information.”

 

Furthermore, the class action lawsuit brings forward that US Radiology Specialists did not provide timely and sufficient notification of the data breach. US Radiology Specialists did not send out notifications to the affected patients until nine months later.

 

“As a result of the Data Breach and Defendant’s failure to promptly notify Plaintiffs

 and Class members thereof,” the complaint states, “Plaintiffs and Class members are at imminent and substantial risk of experiencing various types of misuse of their Private Information in the coming years, including but not limited to, unauthorized

credit card charges, unauthorized access to email accounts, identity theft.”

 

The patients’ class action suit states the data breach notification letters were “not just untimely but woefully deficient” because the letters did not contain critical details about the breach, including:

• How did an unauthorized entity gain access to USRS’s data network
• If their data was encrypted
• How USRS realized its network had been breached
• If the data breach was system-wide
• Were the servers containing patient information compromised
• Number of patients impacted

The patients’ case asserts that the disclosure letter did not reveal the relationship between the subsidiary that sent the notification letter and US Radiology Specialists. DataBreaches uncovered additional information:

• US Radiology Specialists reported 87,522 patients’ data breach to HHS in February, but it may have only represented Touchstone Imaging.
• Gateway Diagnostics filed a report with the Texas Attorney General’s Office regarding a breach of 240,673 Texas residents.
• American Health Imaging (with links from their website to US Radiology Specialists site) submitted a report to the Texas Attorney General for 21,003 Texas citizens affected by a breach.

The class action case shows that USRS did not provide “any remedial services at all” and offered a single year of credit monitoring for “a select few.” The suit notes that the USRS offer is “woefully inadequate” because fraud and identity theft may occur years after a breach occurs.

The lawsuit proposes covering residents in the United States impacted by the breach and furnishing notice of the data breach incident. The USRS affiliate groups include the previously reported ones in North Carolina, Arizona, and Texas and USRS affiliates in Colorado.

The class action lawsuit also notes:

“There has been no assurance offered by US Radiology or its subsidiaries that

all personal data or copies of data have been recovered or destroyed.

Accordingly, Plaintiffs assert claims for negligence, breach of third-party

beneficiary contract, breach of implied contract, breach of fiduciary duty,

and declaratory and injunctive relief.”

 

As the American College of Radiology warned in a February 23 Practice Management bulletin, a potential cyberattack is the “Wolf at the Door.” Two hundred ninety-five healthcare cyberattacks occurred in the 18 months between June 2, 2020, and December 31, 2021. ACR reminds healthcare providers that what they do in the first 48 hours and the following 3 weeks is critical to their recovery from a cyber-attack.