Cyber Incident Victim: Diagnostic Radiology & Imaging
Date:
Nov 2017
Location:
United States of America
Summary
A North Carolina-based medical imaging provider experienced a phishing attack where an employee disclosed credentials to an impersonator, enabling unauthorized access to an email account containing limited patient information. The compromised data included names, medical record numbers, descriptions of imaging services (including dates and types), contact details, and in rare instances, dates of birth. Approximately 800 individuals were affected, though no Social Security numbers or financial data were exposed. The organization engaged external forensic experts and legal counsel, notified impacted patients by mail, and reinforced staff training on cybersecurity protocols with enhanced focus on phishing threats to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Diagnostic Radiology & Imaging, LLC (DRI), operating imaging facilities in Greensboro, North Carolina under the names Greensboro Imaging and The Breast Center of Greensboro, discovered an impermissible disclosure of patient information on January 31, 2018. An investigation determined the incident originated from a phishing attack on November 11, 2017, when an employee received a deceptive email appearing to originate from a legitimate source. The attacker successfully tricked the employee into revealing credentials that provided access to the employee's work email account. Within this compromised account, the attacker accessed limited health information pertaining to approximately 800 patients. The exposed data included patient names, medical record numbers, descriptions of imaging services received (including dates, types, and locations of services), and in some instances, email addresses and phone numbers. A small subset of records also contained patient dates of birth. The investigation confirmed the attacker did not access Social Security Numbers, financial information, or other data that could directly facilitate financial harm. DRI emphasized the breach was confined to the contents of the single compromised email account and did not involve broader system infiltration or access to medical images themselves.
Following the discovery, DRI initiated a response that included notification of affected patients via first-class mail as required by federal law. The organization engaged external forensic investigators and legal counsel specializing in data breaches to manage the investigation and compliance efforts. Internal reviews confirmed existing policies and procedures related to patient information confidentiality and security were in place, with regular employee training conducted prior to the incident. In direct response to the phishing attack, DRI implemented retraining for all employees and contractors on privacy and security protocols, with enhanced focus on identifying and resisting phishing attempts and other cybercrime tactics. The company publicly expressed regret for the incident and established a dedicated phone line (1-800-638-2869) for patient inquiries. While acknowledging the exposure of sensitive health information, DRI reiterated its assessment that the absence of financial data in the compromised account minimized risks of financial fraud for impacted individuals. The company’s physical address (1150 Revolution Mill Dr, Suite 9, Greensboro, NC 27405) was provided as a point of contact for further correspondence.