The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, PC (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
