Late notification raises questions about a US Radiology Specialists breach last year
As keen eyes have noticed, two radiology services — Gateway Diagnostic Imaging in Texas and Radiology Ltd in Arizona — recently submitted breach notices to the Montana Attorney General’s Office. Both notices reported an incident in December 2021. But were these separate incidents, or were they both the result of a third-party breach?
Both Gateway Diagnostic Imaging and Radiology Ltd. are partners of US Radiology Specialists, who notified HHS in February of an incident that impacted 87,552 patients.
But on whose behalf did US Radiology Specialists report to HHS? In January, Touchstone Medical Imaging had reportedly acknowledged system outages in December. Was the US Radiology Specialists’ report to HHS in February for them of was it on behalf of all of affected covered entities or just some?
DataBreaches’ searches found that several US Radiology Specialists’ “partners” have reported the December 2021 incident but could not find indications that all of them had.
The following partners did disclose a December incident, but DataBreaches did not find any reports by them on HHS’s public breach tool:
Charlotte Radiology, Touchstone Medical Imaging, Radiology Ltd, and Gateway Diagnostic. It’s possible, therefore, that the US Radiology Specialists report in February was for all of them.
DataBreaches could not find any notification letters nor submissions to HHS from the following:
Diversified Radiology, American Health Imaging, Upstate Carolina Radiology, Windsong Radiology, South Jersey Radiology Associates, and Larchmont Imaging Associates.
US Radiology Specialists is a business associate. Did their incident also impact these other providers? Are there others not on this list who were also affected? And how many patients were affected in total?
And why would Gateway Diagnostic and Radiology Ltd. submit notifications to Montana now? Was that late reporting, or had they first discovered Montana residents who needed to be notified?
From some of the descriptions, it is not clear whether this was a ransomware attack on US Radiology Specialists and at least one entity was not answering specific questions. The types of patient information that may have been acquired included names and one or more of the following: address, date of birth, health insurance information, medical record number, patient account number, physician name, date(s) of service, diagnosis and/or treatment information related to radiology services. For some patients, Social Security numbers were contained in the documents involved.
DataBreaches sent an inquiry to US Radiology Specialists seeking clarification on the incident and additional details. No reply has been received.
Update 1: No reply has been received, but DataBreaches has found more information that suggests that the 87,552 report to HHS by US Radiology Specialists in February may have only been for Touchstone Imaging. Specifically:
Gateway Diagnostics reported to the Texas Attorney General’s Office that 240,673 Texans were impacted by a breach; and
American Health Imaging, whose website links to US Radiology Specialists, reported to the Texas Attorney General’s Office that 21,003 Texans were impacted by a breach
And if three radiology groups issued notifications this week related to an incident last December, will we see even more? And then why is notification so late?