Hack at radiology service provider affects 4 practices and 411,000 people

The breach, reported to federal regulators on Aug. 15 by Chattanooga, Tenn.-based Specialty Networks, is the latest in a series of hacks targeting HIPAA-regulated business partners. In a breach statement, Specialty Networks said the incident also affected several customers, including Prime Imaging; Diagnostic Radiology Consultants, PA; Allied Mobile; and Videre Diagnostics.

Specialty Networks said it identified unusual activity on its network on December 18, 2023 and immediately took steps to secure the network and engage a digital forensics and incident response firm to conduct an investigation.

The investigation revealed that a week prior to the discovery, around December 11, a malicious actor acquired certain data stored in Specialty Networks’ systems.

Specialty Networks subsequently undertook a comprehensive review of the potentially affected data and determined on May 31 that certain personal and protected health information may have been affected.

Specialty Networks said it then notified affected healthcare providers and, around June 24, coordinated notification efforts with them and verified the information and mailing addresses of those affected by the breach.

Information potentially compromised in the incident includes name, date of birth, driver’s license number, Social Security number, medical record number, treatment and health status information, diagnoses, medications, and health insurance information.

The company is offering 12 months of additional identity and credit monitoring to those affected.

Specialty Networks said it reported the incident to the FBI and took “additional steps to prevent a similar event from happening in the future.”

In the past two weeks, at least four proposed class actions have been filed against Specialty Networks in federal court in Tennessee.

The lawsuits all contain similar allegations, including that Specialty Networks was negligent in failing to protect sensitive patient information, including data relating to minors, thereby exposing them to risks of identity theft and fraud.

The lawsuits all seek similar remedies, including monetary damages and court orders requiring Specialty Networks to improve its data security practices.

Specialty Networks did not immediately respond to Information Security Media Group’s request for comment on the lawsuits and additional details about the hack, including the type of cyberattack.

The complaint filed Aug. 20 by Daniel Smith, a lead plaintiff in one of the lawsuits against Specialty Networks, says he was a patient of Chattanooga, Tennessee-based medical imaging provider Prime Imaging.

Prime Imaging did not immediately respond to ISMG’s request for comment on the incident. A Prime Imaging staff member told ISMG that Specialty Networks “manages” its computer systems.

Specialty Networks said in its breach notice that in addition to radiology information systems and transcription services, it provides enterprise practice management solutions to medical facilities.

As of Tuesday, the Specialty Networks hack ranks among the 25 largest health data breaches reported so far this year to the U.S. Department of Health and Human Services. The 471 major breaches reported so far to the HHS Office for Civil Rights this year have affected more than 54.1 million people.

Of those breaches, 159 — including the Specialty Networks hack — were related to business partners, according to HHS OCR’s HIPAA Breach Reporting Tool website. Those business partner data breaches affected nearly 22.8 million people.