Consulting Radiologists is a radiology services firm based in Edina, Minnesota. The company
began sending personal notifications to approximately 512,000 patients impacted by a cyberattack in February 2024.
Consulting Radiologists provides 22 hospitals and clinics with on-site radiology services and remote teleradiology services to over 100 healthcare centers in Minnesota. On February 12, 2024, the company identified suspicious activity in its computer system and immediately acted to protect its systems and avoid continuing unauthorized access. A third-party cybersecurity firm investigated the attack and confirmed that an unauthorized third party acquired access to a server that included patient information.
Consulting Radiologists stated it performed a time-consuming and thorough retrieval of the server to find out which patients were impacted and the types of information affected. The analysis confirmed on April 17, 2024 the exposure and potential theft of patient data, which includes names, dates of birth, addresses, medical information, and medical insurance details. The types of information differed from one patient to another. The driver’s license numbers, Social Security numbers, and/or fact sheets and imaging results of some patients were also compromised.
Consulting Radiologists stated it has implemented extra monitoring software and will consider additional ways of protecting its network and patient data to comply with HIPAA privacy rules. Although patient information was compromised, Consulting Radiologists did not receive any report of actual or attempted improper use of patient information while issuing notification letters associated with the security incident. As a safety measure, the impacted persons were provided a year of free single-bureau credit monitoring, credit score, and credit report services.
The breach report was submitted to the Maine Attorney General indicating that 511,947 individuals were impacted, which include 47 residents of Maine. Consulting Radiologists did not mention how the attacker acquired access to its system, whether they issued a ransom demand, or what security procedures were added to secure patients’ files.
The LockBit and Qilin ransomware groups professed in April 2024 that they were responsible for the data theft at Consulting Radiologists. Qilin claimed to have stolen over 70GB with 94,667 files. The Qilin ransomware group is also responsible for the Synnovis ransomware attack that still causes problems in London’s hospitals.
Photo credits: littlewolf1989 – AdobeStock.com