NY AG issues $450k penalty to US Radiology after unpatched bug led to ransomware attack

One of the nation’s largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients.

In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021.

US Radiology used the company’s firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.

The vulnerability highlighted by the attorney general — CVE-2021-20016 — was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed “due to competing priorities and resource restraints.”

The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.

“Once the threat actor gained access to the VPN, they leveraged 101 additional credentials to access various network data folders over the following week,” New York prosecutors said.

“While a subsequent forensic investigation was unable to definitively determine how the threat actor initially obtained credentials to access the SonicWall VPN, the vulnerability identified by the NCC Group in January 2021 could have allowed the threat actor to capture username, password and other session information stored on the SonicWall server through a process known as a SQL injection.”

An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients.

The data exposed during the incident also included driver’s license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James.

“US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems.”

In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program.

The company will have to delete patient data “when there is no reasonable business purpose to retain it” and submit compliance reports to the state for two years.

James has used her position to levy stiff penalties against several companies accused of failing to protect customer data before cyberattacks.

Last month, she forced Long Island health care company Personal Touch to pay a $350,000 penalty for failing to secure the data of 300,000 New Yorkers. In September, James used a settlement to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information on almost 200,000 people.

James and other attorneys general have joined forces to fine companies like software company Blackbaud, clothing giant Shein, Carnival Cruises, the grocery chain Wegmans, and more.

The US Radiology fine comes just days after New York Governor Kathy Hochul announced changes to state cybersecurity rules that force regulated entities to report ransomware payments and take other measures to secure customer data.

“The new rules build on our risk-based approach to integrate cybersecurity with enhanced governance, more robust access controls and assessments, updated reporting rules including for ransomware, and requirements for personnel training, these regulations raise the bar for cyber resilience,” said New York State Chief Cyber Officer Colin Ahern.