Connect with us

Hi, what are you looking for?


Data Breaches

Medical Company Fined $450,000 by New York AG Over Data Breach

A medical company has been fined $450,000 by the New York AG over a data breach that may have involved exploitation of a SonicWall vulnerability.

The attorney general of the state of New York announced on Wednesday that a medical company has been fined $450,000 over a data breach resulting from a ransomware attack.

According to the New York AG’s office, US Radiology Specialists, a major private radiology group, was targeted in a ransomware attack in December 2021. The incident resulted in the personal and health information of nearly 200,000 patients, including 92,000 New Yorkers, getting compromised.

The compromised information included names, dates of birth, driver’s license numbers, passport numbers, social security numbers, patient IDs, health insurance IDs, and information on medical exams and diagnosis.

An investigation of the US Radiology breach showed that cybercriminals entered the company’s network after gaining access to a SonicWall security appliance using valid credentials. 

While it could not be confirmed, the attackers may have obtained the credentials by exploiting a SonicWall product vulnerability that had been patched by the vendor in early February 2021, after it was spotted being exploited in the wild. 

The vulnerability, identified as CVE-2021-20016, got a lot of attention at the time, but the NY AG said US Radiology had failed to secure its SonicWall system. The company was supposed to replace outdated SonicWall hardware — on which the vulnerability could not be patched — in July 2021, but the process was delayed due to “competing priorities and resource restraints”. 

The NY AG said US Radiology has agreed to pay the $450,000 fine for its poor cybersecurity practices and its failure to protect patient data. 

In addition to the fine, the healthcare company has promised to enhance its information security program, create a program for more efficiently replacing or updating IT assets, encrypting patient information, developing a penetration testing program, and implementing policies and procedures for permanently deleting patient data that is no longer needed.

Advertisement. Scroll to continue reading.

Over the past year, the New York attorney general has fined several medical and other types of organizations over data breaches impacting a significant number of individuals. 

UPDATE: Shortly after publication, US Radiology provided the following statement to SecurityWeek:

US Radiology previously notified individuals and regulators, including the New York Attorney General, regarding a December 2021 IT security incident that impacted Windsong Radiology in Buffalo, NY. Since learning of the incident in 2021, US Radiology has implemented additional data security enhancements and continues to improve our technology and processes to protect IT infrastructure. 

Comprehensive data security incident investigations and cooperation with regulatory authorities can be lengthy procedures. As part of the regulatory response to the 2021 incident, US Radiology has entered into a voluntary settlement agreement with the New York Attorney General. 

US Radiology is pleased to resolve this matter and remains committed to protecting patient, provider, and employee data.

Related: Nonprofit Service Provider Blackbaud Settles Data Breach Case for $49.5M With States

Related: Equifax Fined $13.5 Million Over 2017 Data Breach

Related: TikTok Is Hit With $368 Million Fine Under Europe’s Strict Data Privacy Rules

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.