Cyber Incident Victim: Gateway Diagnostics Imaging
Date:
Dec 2021
Location:
United States of America
Summary
A cybersecurity incident impacted multiple radiology providers affiliated with US Radiology Specialists, including Gateway Diagnostic Imaging, Radiology Ltd, Touchstone Medical Imaging, and others. The breach exposed sensitive patient information such as names, addresses, dates of birth, health insurance details, medical record numbers, treatment information, and some Social Security numbers. Discrepancies exist in reported patient impact figures, with US Radiology Specialists initially reporting 87,552 affected individuals to HHS, while Gateway Diagnostics and American Health Imaging separately notified state authorities of 240,673 and 21,003 impacted patients in Texas respectively. The incident involved delayed notifications to regulators and patients, with some affiliated entities failing to publicly disclose their involvement. The breach may have originated from a third-party system outage or ransomware attack affecting the partner network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2021, a cybersecurity incident impacted multiple radiology providers affiliated with US Radiology Specialists, including Gateway Diagnostic Imaging in Texas and Radiology Ltd in Arizona. The incident prompted US Radiology Specialists to file a report with the U.S. Department of Health and Human Services (HHS) in February 2021, disclosing a breach affecting 87,552 patients. The nature of the incident suggested potential third-party involvement, as US Radiology Specialists served as a business associate to its partner entities. At the time of the HHS report, it remained unclear whether the February filing encompassed all affected providers or only specific partners like Touchstone Medical Imaging, which had acknowledged system outages in December. Gateway Diagnostic Imaging and Radiology Ltd submitted breach notifications to the Montana Attorney General’s Office in late 2021, though neither entity appeared in HHS’s public breach database. Other partners, including Charlotte Radiology and Touchstone Medical Imaging, similarly disclosed December incidents without HHS filings, raising questions about centralized reporting.
The scope of the breach expanded as additional notifications emerged. Gateway Diagnostic Imaging reported to the Texas Attorney General’s Office that 240,673 Texas residents were affected, while American Health Imaging, another US Radiology Specialists partner, disclosed impacts to 21,003 Texans. Patient data exposed included names, addresses, dates of birth, health insurance details, medical record numbers, physician names, dates of service, and diagnosis/treatment information related to radiology services. Social Security numbers were compromised for some individuals. Despite inquiries from media outlets, US Radiology Specialists did not clarify whether its February HHS report covered all partners or only Touchstone, nor did it confirm whether entities like Diversified Radiology or South Jersey Radiology Associates were affected. The delayed notifications to Montana in late 2021—nearly a year post-incident—suggested potential late discovery of impacted residents or operational delays. No public confirmation of ransomware involvement or detailed attacker actions was provided, though system outages and unresolved questions about breach containment persisted.