Cyber Incident Victim: Radiology Ltd
Date:
Dec 2021
Location:
United States of America
Summary
A US Radiology Specialists breach potentially impacted multiple partner entities, including Radiology Ltd., with delayed notifications raising questions about the incident's scope and reporting compliance. The business associate initially reported an incident affecting 87,552 patients to HHS, while subsequent disclosures by partners revealed significantly higher regional impacts—Gateway Diagnostic Imaging reported 240,673 affected Texans and American Health Imaging reported 21,003. Compromised data included patient names, contact details, birthdates, insurance information, medical records, service dates, diagnoses, and some Social Security numbers. The incident, suspected to involve ransomware, prompted unresolved inquiries about whether all affected partners were included in the initial report or discovered breaches independently, with late notifications suggesting possible delayed discovery of impacted residents in certain states.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2021, multiple radiology providers affiliated with US Radiology Specialists experienced a cybersecurity incident. Gateway Diagnostic Imaging in Texas and Radiology Ltd in Arizona submitted breach notifications to the Montana Attorney General’s Office in late 2021, though the exact discovery timeline remains unclear. US Radiology Specialists, a business associate serving these providers, filed a report with the U.S. Department of Health and Human Services (HHS) in February 2021 affecting 87,552 patients. The incident potentially involved third-party systems, with conflicting evidence about whether this single HHS report covered all impacted entities or only Touchstone Medical Imaging, which had acknowledged system outages in January 2021. Several US Radiology Specialists partners including Charlotte Radiology, Touchstone Medical Imaging, Radiology Ltd, and Gateway Diagnostic failed to submit independent reports to HHS’s public breach tool despite disclosing the December incident through other channels.
The breach exposed sensitive patient information including names combined with one or more of the following: addresses, dates of birth, health insurance details, medical record numbers, patient account numbers, physician names, service dates, diagnosis information, and treatment details related to radiology services. Social Security numbers were compromised for some patients. Subsequent notifications revealed discrepancies in victim counts, with Gateway Diagnostic reporting 240,673 affected Texans to the Texas Attorney General and American Health Imaging reporting 21,003 impacted Texans – figures not reflected in the original HHS filing. The incident’s total scope remained unresolved, with no confirmation about whether additional partners like Diversified Radiology or South Jersey Radiology Associates were affected. US Radiology Specialists did not respond to inquiries about whether the attack involved ransomware, the reason for delayed notifications to Montana residents, or the complete list of impacted entities. Multiple providers issued breach notifications nearly one year post-incident without public explanation for the timeline.