NY AG points $450k penalty to US Radiology after unpatched bug led to ransomware assault

One of many nation’s largest non-public radiology corporations agreed to pay a $450,000 advantageous after a 2021 ransomware assault led to the publicity of delicate info from almost 200,000 sufferers.

In an settlement introduced on Wednesday, New York Lawyer Normal Letitia James stated US Radiology did not remediate a vulnerability introduced by safety firm SonicWall in January 2021.

US Radiology used the corporate’s firewall to guard its community and supply managed providers for a lot of of its companion corporations, together with the Windsong Radiology Group, which has six services throughout Western New York.

The vulnerability highlighted by the lawyer basic — CVE-2021-20016 — was utilized by ransomware gangs in a number of assaults. US Radiology was unable to put in the firmware patch for the zero-day as a result of its SonicWall {hardware} was at an end-of-life stage and was not supported. The corporate deliberate to exchange the {hardware} in July 2021, however the undertaking was delayed “because of competing priorities and useful resource restraints.”

The vulnerability was by no means addressed, and the corporate was attacked by an unnamed ransomware gang on December 8, 2021.

“As soon as the menace actor gained entry to the VPN, they leveraged 101 further credentials to entry varied community knowledge folders over the next week,” New York prosecutors stated.

“Whereas a subsequent forensic investigation was unable to definitively decide how the menace actor initially obtained credentials to entry the SonicWall VPN, the vulnerability recognized by the NCC Group in January 2021 might have allowed the menace actor to seize username, password and different session info saved on the SonicWall server via a course of often called a SQL injection.”

An investigation decided that the hacker was capable of acquire entry to recordsdata that included the names, dates of delivery, affected person IDs, dates of service, supplier names, kinds of radiology exams, diagnoses and/or medical health insurance ID numbers of 198,260 sufferers.

The info uncovered through the incident additionally included driver’s license numbers, passport numbers, and Social Safety numbers for 82,478 New Yorkers.

“When sufferers go to a medical facility, they deserve confidence in realizing that their private info is not going to be compromised when they’re receiving care,” stated Lawyer Normal James.

“US Radiology failed to guard New Yorkers’ knowledge and was weak to assault due to outdated tools. Within the face of accelerating cyberattacks and extra subtle scams to steal non-public knowledge, I urge all corporations to make vital upgrades and safety fixes to their laptop {hardware} and techniques.”

Along with the $450,000 penalty, the corporate must improve its IT community, rent somebody to handle its knowledge safety program, encrypt all delicate affected person info and develop a penetration testing program.

The corporate must delete affected person knowledge “when there isn’t any cheap enterprise function to retain it” and submit compliance studies to the state for 2 years.

James has used her place to levy stiff penalties in opposition to a number of corporations accused of failing to guard buyer knowledge earlier than cyberattacks.

Final month, she pressured Lengthy Island well being care firm Private Contact to pay a $350,000 penalty for failing to safe the information of 300,000 New Yorkers. In September, James used a settlement to power a neighborhood faculty to speculate $3.5 million into cybersecurity after a 2021 knowledge breach leaked troves of delicate info on nearly 200,000 folks.

James and different attorneys basic have joined forces to advantageous corporations like software program firm Blackbaud, clothes large Shein, Carnival Cruises, the grocery chain Wegmans, and extra.

The US Radiology advantageous comes simply days after New York Governor Kathy Hochul introduced adjustments to state cybersecurity guidelines that power regulated entities to report ransomware funds and take different measures to safe buyer knowledge.

“The brand new guidelines construct on our risk-based method to combine cybersecurity with enhanced governance, extra sturdy entry controls and assessments, up to date reporting guidelines together with for ransomware, and necessities for personnel coaching, these rules elevate the bar for cyber resilience,” stated New York State Chief Cyber Officer Colin Ahern.