NY AG Issues $450K Penalty To US Radiology After Unpatched Bug Led To Ransomware

An anonymous reader quotes a report from The Record: One of the nation's largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients. In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021. US Radiology used the company's firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.

The vulnerability highlighted by the attorney general -- CVE-2021-20016 -- was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed 'due to competing priorities and resource restraints.' The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.

An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients. The data exposed during the incident also included driver's license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers. In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program. The company will have to delete patient data 'when there is no reasonable business purpose to retain it' and submit compliance reports to the state for two years. 'When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,' said Attorney General James. 'US Radiology failed to protect New Yorkers' data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems.'

Read more of this story at Slashdot.