Data Privacy
,
Data Security
,
Healthcare
HHS Cites Security Risk Analysis Failures in Hack That Affected Nearly 300,000
A medical imaging practice with offices in New York and Connecticut has agreed to pay $350,000 to federal regulators to settle potential HIPAA violations uncovered in an investigation of a 2020 hacking incident that affected nearly 300,000 people.
See Also: Using the Netskope HIPAA Mapping Guide
The U.S. Department of Health and Human Services’ Office for Civil Rights on Thursday said that in addition to the financial payment, the resolution agreement with Northeast Radiology, P.C. requires the practice to implement a corrective action plan that the federal agency will monitor for two years.
The settlement with NERAD is the sixth enforcement action by HHS OCR under the agency’s HIPAA risk analysis enforcement initiative launched last year. HIPAA security risk analysis has long been a weakness identified in many of HHS OCR’s breach investigations and HIPAA audits over the years.
“A HIPAA risk analysis is essential to identifying where electronic protected health information is stored and the security measures in place to protect it,” said Anthony Archeval, HHS OCR acting director. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”
HHS OCR said it initiated its investigation of NERAD after receiving a breach report from the practice in March 2020 about a compromise of unsecured electronically protected health information.
“NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s picture archiving and communications server,” HHS OCR said.
NERAD reported that the information of 298,532 patients was potentially accessible on the PACS server in the breach, HHS OCR said.
The agency’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
Under the resolution agreement’s corrective action plan, NERAD will conduct an accurate and thorough HIPAA security risk analysis. As part of that process, NERAD must develop and incorporate into its risk analysis a complete inventory of all electronic equipment, data systems, off-site data storage facilities and applications that contain or store ePHI.
NERAD must provide those findings to HHS OCR for feedback from the agency on whether any revisions are needed.
“This process shall continue until HHS approves the risk analysis in its reasonable discretion,” HHS OCR said.
NERAD also must review its risk analysis at least annually and promptly update the analysis in response to environmental or operational changes affecting the security of ePHI, HHS OCR said.
The medical imaging practice also must develop an enterprise-wide risk management plan to address and mitigate any and all risks and vulnerabilities identified in its current risk analysis repertoire. HHS OCR will review that risk management plan before NERAD implements it and monitor NERAD’s compliance with requirements of the corrective action plan for two years.
NERAD did not immediately respond to Information Security Media Group’s request for comment on the settlement.
The resolution agreement with NERAD announced on Thursday is the ninth HIPAA enforcement action HHS OCR has announced so far in 2025. But the settlement was actually signed in December 2024 by NERAD and on Jan. 5 by HHS OCR, prior to the Trump administration taking office. So far, none of the HIPAA enforcement actions disclosed by the agency in 2025 was finalized by HHS during Trump’s administration.
Who’s Left to Monitor NERAD’s Compliance?
Some experts say the level of HHS OCR’s HIPAA enforcement activity moving forward appears uncertain in light of HHS Secretary Robert Kennedy Jr.’s announced plans March 27 to reduce its workforce by about 20,000 employees and close five of its 10 regional offices as part of a department-wide restructuring and downsizing initiative.
“The resolution agreement and corrective action plan raises questions about the ability of HHS OCR to monitor compliance with HIPAA settlement agreements,” said attorney David Holtzman, retired founder of consultancy HITprivacy LLC.
“The investigation of Northeast Radiology and the resulting resolution agreement/corrective action plan were taken by the agency’s Pacific Region office during the term of the Biden administration,” he said.
“The Trump administration has closed – or will soon close – the Pacific Regional office. The investigator designated as OCR’s representative for monitoring the covered entity’s compliance with corrective action plan is no longer with HHS,” said Holtzman, who served as a senior adviser at HHS OCR for several years during the George W. Bush and Barack Obama presidential administrations. “There are a number of active corrective action plans that were being managed through regional offices that are now closed,” he said.
HHS OCR did not immediately respond to ISMG’s request for comment on the status of the agency’s HIPAA enforcement staffing and its efforts under the HHS restructuring.