Rules Navigator

Private radiology provider settles probe into data security failures 

Doctor observes magnetic resonance therapy of a person.
Photo: Getty Images

Vlada Gurvich

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A radiology provider faces penalties after failing to safeguard patient data, exposing thousands to potential breaches.

A private radiology group with operations in New York and Connecticut has agreed to pay $350,000 in a federal settlement over alleged violations of data security rules designed to protect patients’ health information.

The US Department of Health and Human Services (HHS) announced the enforcement action against Northeast Radiology, a firm that operates five clinics and had experienced a breach of its digital imaging storage system between 2019 and 2020. The breach prompted alerts to nearly 300,000 patients whose data may have been exposed.

The breach centered on the unauthorized access to Northeast Radiology’s Picture Archiving and Communication System (PACS), a platform used for storing and managing radiological images.

The federal investigation, launched by the HHS Office for Civil Rights (OCR) in early 2020, concluded that the provider had not conducted a comprehensive risk analysis of its information systems, a key requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Corrective action

To resolve the matter, Northeast Radiology has entered into a resolution agreement that includes both the financial penalty and a two-year corrective action plan. The plan mandates several steps, including a thorough risk analysis, regular reviews of system access logs, and strengthened staff training on HIPAA compliance. Federal officials stressed that these measures are intended to prevent future security lapses and reinforce data protection practices across the healthcare sector.

Although the company has not admitted to wrongdoing, the case highlights the regulatory consequences of cybersecurity complacency in the healthcare industry. While an earlier class-action lawsuit brought by patients against Northeast Radiology was dismissed in 2022, the federal settlement underscores the importance of proactive data governance.

It also marks the sixth enforcement action under the OCR’s ongoing Risk Analysis Initiative, a program targeting weaknesses in the protection of electronic patient records.

Rights enforcement 

The Office for Civil Rights (OCR), housed within the US Department of Health and Human Services, plays a central role in safeguarding both individual liberties and data integrity within the American healthcare system. Its remit extends beyond digital privacy to include the enforcement of federal laws prohibiting discrimination in health and social services, as well as a guardian of public trust, ensuring that providers uphold both civil liberties and ethical responsibilities in increasingly complex care environments.

Among its most prominent mandates is the enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, which form the backbone of patient data protection in the US healthcare system.

These rules require health insurers, providers, and affiliated service firms to implement robust safeguards, both technical and administrative, to ensure that sensitive patient information is kept confidential, accurate, and secure. OCR’s Risk Analysis Initiative, launched to encourage regular assessments of digital vulnerabilities, has repeatedly called on healthcare entities to encrypt data in motion, audit their IT systems routinely, and offer ongoing staff training, all aimed at preventing breaches before they occur.

Security overhaul 

As part of its settlement with federal regulators, Northeast Radiology has committed to a broad remedial program to address its HIPAA compliance shortfalls. The mandated overhaul includes a fresh, organization-wide risk analysis to identify weaknesses in how electronic patient information is stored and transmitted. It also calls for a formal risk management strategy, enhanced audit tracking, and stricter review of system activity.

Beyond systems, the practice must update its policies and procedures and improve workforce training to ensure staff responsibilities align with HIPAA Security Rule requirements. The Office for Civil Rights (OCR) will oversee these corrective measures for two years, reinforcing its insistence that prevention, not just reaction, become standard practice in healthcare cybersecurity.

The Security Rule’s linchpin is the concept of risk analysis, a legally mandated process that goes beyond technical scanning to encompass environmental threats, human error, and systemic vulnerabilities. The results of such analysis should inform everything from access controls and personnel screening to encryption decisions and system authentication processes. Although some safeguards under HIPAA are labeled “addressable” rather than “required,” this flexibility is not an exemption.

Lessons from past breaches must be incorporated into forward-looking compliance strategies, making incident response not just reactive but regenerative.

Organizations must either implement the measure or document why a reasonable alternative is more appropriate, an obligation that, if ignored, invites regulatory scrutiny. OCR’s recent enforcement actions make clear that failing to complete or act upon a risk analysis will no longer be tolerated as a mere oversight.

OCR has issued updated guidance urging covered entities, including hospitals, insurers, and health IT vendors, to take several key steps in fortifying their cybersecurity posture. These include mapping the flow of protected health data across internal and external systems, embedding risk assessments into core business processes, and deploying audit tools that detect unauthorized access.

Encryption, both in transit and at rest, remains a strong line of defense and should be implemented wherever feasible. Importantly, lessons from past breaches must be incorporated into forward-looking compliance strategies, making incident response not just reactive but regenerative.

The private sector, especially firms handling sensitive data, can draw broader lessons from this enforcement pattern. A robust compliance culture starts with clear ownership, appointing senior figures to oversee privacy policies, and continues with real-time regulatory monitoring using AI-enhanced tools. Risk audits should be routine, not rare, and training must move beyond generic sessions to tailored programs tied to specific job functions.

Beyond the breach 

The Northeast Radiology case is not an isolated episode but part of a broader federal campaign to recalibrate how health data is protected across an increasingly complex digital landscape. The case, alongside recent settlements with firms including Health Fitness Corporation, reveals OCR’s sharpened focus on the systemic weaknesses that underline most data breaches, not just the breaches themselves.

Health Fitness, which self-reported multiple security lapses due to server misconfigurations, paid a penalty of $227,816 and was placed under a corrective action plan similar to NERAD’s. In both cases, the failure to conduct timely and thorough risk analyses was central to OCR’s findings, confirming the agency’s stance that prevention, not post-crisis damage control, must be the guiding principle of compliance.

OCR’s renewed vigor in enforcement is also surfacing in other dimensions of HIPAA oversight, such as patients’ rights to access their own medical records.

The $200,000 penalty against Oregon Health & Science University, imposed after it repeatedly failed to deliver requested health records in a timely manner, shows that HIPAA enforcement is no longer confined to technical breaches of electronic security. It stretches to the foundational civil rights embedded in the act: the right to information, the right to privacy, and the right to dignity in the digital handling of personal health data. These actions collectively suggest that OCR is reasserting HIPAA not merely as a compliance checklist but as a civil liberties statute with teeth.

This intensified regulatory activity coincides with, and arguably accelerates, the emergence of state-level legislation filling gaps HIPAA cannot reach. Laws like New York’s proposed Health Information Privacy Act and Massachusetts’ Location Shield Act push the boundary of what constitutes protected health data and who should be held accountable for its misuse.

Unlike HIPAA, which narrowly applies to entities in formal healthcare relationships, these new laws extend to app developers, wellness platforms, and data brokers, reshaping the map of health privacy jurisdiction.

Together, these state initiatives and federal crackdowns underscore a fundamental shift: data security is no longer just an IT issue, nor is privacy merely a compliance obligation. Both are increasingly positioned at the intersection of civil rights and infrastructure resilience in a digitized society.

, , , ,

You may also like