Radiology Practice Reveals Insider Breach

Radiologist Accessed Billing Systems Without Authorization
Radiology Practice Reveals Insider Breach

About 97,000 current and former patients of NRAD Medical Associates, a radiology practice in Long Island, N.Y., are being notified that a radiologist formerly employed with the organization accessed and acquired protected health information from NRAD's billing systems without authorization.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Information inappropriately accessed in the breach includes patient names and addresses, dates of birth, Social Security numbers, health insurance information and diagnosis and procedure codes, the practice says.

The number of patients affected by the breach, which occurred on or about April 24, represents about 12 percent of the total NRAD has treated in the last 20 years, the practice reports.

NRAD says financial data, such as banking and credit card information, was not obtained during the intrusion, and there's no indication that the information was disclosed to or used by any third parties.

"While our internal investigation is continuing, it appears that a single individual, a radiologist who was employee by NRAD at the time of the breach, bypassed security systems within the company's billing and data systems," the organization says. "The individual is no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation."

NRAD says it is working with the U.S. Department of Health and Human Services' Office of Civil Rights and all "applicable government agencies" to notify patients.

A spokesperson for NRAD says impacted individuals will receive free credit monitoring services if they request it.

Following the incident, NRAD says it took several unspecified measures to enhance the security safeguards of its billing and patient databases. The organization did not immediately respond to a request for additional information.

Mitigating Insider Threats

Healthcare organizations can take several steps to prevent patients from becoming the victims of medical identity theft and fraud committed by insiders, says Mac McMillan, CEO of security consulting firm CynergisTek (see: Thwarting Cybercrime in Healthcare).

One key step involves improving monitoring of data access. In addition to taking advantage of audit logs, organizations should use behavioral analysis that measures patterns of when and where users are accessing data and what they're looking at, McMillan suggests.

Another measure to mitigate the risks is to improve workforce training on appropriate access to records and other aspects of maintaining patient privacy, says Stevie Davidson, CEO of Health Informatics Consulting (see: Insider Threats: A Mitigation Strategy).

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.