Radiologist hacks hospital PACS to access patient records

A small Connecticut hospital has notified nearly 1,000 patients that their imaging records have been breached by a radiologist who hacked into the PACS network for a month after being fired in February -- with the apparent goal of stealing the hospital's patients.

Griffin Hospital, a 160-bed facility in Derby, CT, announced the security breach on March 29 and informed Connecticut Attorney General Richard Blumenthal, who has promised to investigate the intrusion.

The radiologist, whom neither the hospital nor the attorney general's office would identify, worked for a radiology group with which the hospital contracts. The physician was terminated from the group on February 3, at which time his or her password was revoked. But the physician continued to access Griffin's PACS network using passwords of other employees without their knowledge from February 4 until March 5, the hospital said.

The radiologist scanned the PACS directory listings of 957 patients who had radiology studies performed at the hospital during the month after being terminated, and downloaded image data from 339 of the patients, according to a hospital statement.

The downloaded files included patients' name, birth date, gender, age, medical record number, and dates and descriptions of examinations. Social Security numbers and financial information were not included in the accessed files.

The breach came to light February 26 after patients started calling the hospital saying they had received unsolicited phone calls from the radiologist, who was offering services at a different hospital in the area.

In a telephone interview with, hospital vice president Bill Powanda said the radiology group, which he declined to name, no longer has a contract with the hospital. But he refused to say if it expired or it was terminated by the hospital in the wake of the breach.

"This breach appears to have been a deliberate intrusion into Griffin's [PACS] system to view patient radiology reports," hospital president Patrick Charmel said in a statement.

Blumenthal called the breach "deeply disturbing" and pledged to use the federal HIPAA law to "seek strong and significant sanctions," according to a statement released by his office.

Other hospitals may want to review their security measures in the wake of the extensive breach of confidential medical records, according to PACS consultant Michael Cannavo of Image Management Consultants of Winter Springs, FL.

"The question is really going to be: What level of responsibility does the hospital bear for the security breach?" observed Cannavo. "[The radiologist] was able to get access, so it's the hospital's fault."

Cannavo noted that fines and penalties can be assessed against both the hospital and the scofflaw radiologist.

Civil penalties for HIPAA violations range from $1,000 to $50,000 per violation. Criminal penalties for offenses committed with the "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" can result in a $250,000 fine and up to 10 years in prison.

By Donna Domino contributing writer
March 31, 2010

Related Reading

Firm: Hacker attacks on HIT doubled in Q4, February 2, 2010

Conficker worm invades U.K. hospital IT network, January 29, 2010

HIMSS Survey: Hospitals not ready to protect electronic records, November 12, 2009

FDA issues cybersecurity reminder, November 9, 2009

Conficker worm highlights PACS cybersecurity issues, June 2, 2009

Copyright © 2010

Page 1 of 775
Next Page