Posted On October 12, 2022 Consumer Privacy & Data Breaches
On September 2, 2022, Buffalo MRI by Windsong Radiology reported a data breach with the Attorney General of Montana after the company experienced a “security incident” that compromised patient information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, dates of birth, Social Security numbers, health insurance information, medical record number, patient account number, physician name, dates of service, and information related to the receipt of radiology services. After confirming that consumer data was leaked, Buffalo MRI began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Buffalo MRI data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Buffalo MRI by Windsong Radiology.
The available information regarding the Buffalo MRI breach comes from the company’s filing with the Attorney General of Montana. According to the AG’s “Reported Data Breach Incidents” page, on December 24, 2021, Buffalo MRI identified a security incident that impacted the functionality of the company’s computer system. In response, Buffalo MRI secured its network, reported the incident to law enforcement, and then enlisted an outside cybersecurity firm to help with the company’s investigation.
As a result of this investigation, it was confirmed that an unauthorized party had gained access to the company’s IT network between December 17 and December 24, 2021. It was also revealed that the portion of the network that was accessible to the unauthorized party contained sensitive patient information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Buffalo MRI began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, date of birth, Social Security number, health insurance information, medical record number, patient account number, physician name, dates of service, and information related to any radiology services you received from Buffalo MRI.
On September 2, 2022, Buffalo MRI sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Buffalo MRI by Windsong Radiology is a healthcare provider based in Buffalo, New York. The company provides a range of imaging services, including breast cancer screening, MRI services, CT scan services, biopsies, pediatric services, screening services, ultrasound, women’s imaging, X-ray, fluoroscopy & bone density. Buffalo MRI is owned by Windsong Radiology, a larger medical imaging company that is also based in Buffalo, New York. Buffalo MRI employs more than 64 people and generates approximately $13 million in annual revenue. Buffalo MRI’s parent company, Windsong Radiology, employs roughly 302 people and generates $37 million in revenue each year.
We know that the Buffalo MRI data breach affected sensitive patient information, including patients’ names, addresses, birth dates, Social Security numbers, health insurance information, medical record numbers, patient account numbers, physician names, and other healthcare-related information. While the company didn’t use the term protected health information (“PHI”) to refer to the leaked data, it appears that the data compromised as a result of the recent breach falls within the definition of PHI under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Protected health information is any healthcare data that relates to a patient’s past or current health condition or how a patient pays or plans to pay for their healthcare. Doctors collect and use PHI to determine the appropriate treatment for patients, as well as for billing purposes. For example, blood tests or CT scan results, details about an insurance claim, or a list of a patient’s current medications can all be considered protected health information.
However, healthcare-related data is not always considered protected. Under HIPAA, healthcare-related data is PHI if it contains one or more identifiers. Thus, if test results were leaked but did not contain an identifier, there would be no way for anyone to connect those results to the patient, and the data would not be considered PHI.
An identifier is an additional piece of information included along with the breached data that allows someone to match the data to a specific patient. Common identifiers include patients’ names, email addresses, physical addresses, photographs, fingerprints, or Social Security numbers. Thus, from a patient’s perspective, the fact that data is considered protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft in that it involves an unauthorized person fraudulently using another’s data for their own benefit. However, healthcare ID fraud is not only typically much more difficult to resolve than other types of identity theft, but it can also put patients’ physical health at risk. For example, cybercriminals will often sell stolen protected health information on the dark web. The person who buys the data likely does so because they are looking to obtain medical care in your name. Pretending to be you, they go to the doctor to receive treatment, giving the provider your insurance information.
When the doctor asks the fake patient for any relevant information, the “patient” provides the doctor with their own information to ensure they receive the appropriate treatment. This can result in a situation where your medical record contains inaccurate information when you go to the doctor for treatment.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Buffalo MRI data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Buffalo MRI by Windsong Radiology (the actual notice sent to consumers can be found here):
Dear [Redacted],
Buffalo MRI by Windsong Radiology takes seriously the confidentiality and security of our patients’ information. Regrettably, we recently determined that some of your information was involved in a security incident. We have no evidence of fraud or misuse of your information as a result of this incident. However, we are providing information about the incident, the steps we have taken to respond, and the resources we are making available to you.
What Happened:
On December 24, 2021, we identified a security incident that impacted systems that contained our patient information. We immediately initiated our incident response process, notified law enforcement, and began an investigation with the assistance of a forensic firm. The investigation determined that between December 17 and December 24, 2021, an unauthorized party gained access to our network.
What Information Was Involved:
The information that may have been accessed included your name, and may have included your address, date of birth, Social Security number, [Redacted] health insurance information, medical record number, patient account number, physician name, date(s) of service, and/or information related to radiology services.
What We Are Doing:
The safety of your information is of utmost importance to us. To help prevent something like this from happening again, we are continuing to implement additional safeguards and enhancements to our information security, systems, and monitoring capabilities.
What You Can Do:
As a precaution, we are offering you a complimentary one-year membership to Equifax Credit WatchTM Gold. This product helps detect possible misuse of your personal information and provides you with identity protection support focused on immediate identification and resolution of identity theft. Equifax Credit WatchTM Gold is completely free to you and enrolling in this program will not hurt your credit score. For more information on steps you can take and instructions on how to activate your complimentary membership, please see the additional information provided in this letter.
For More Information:
We deeply regret that this incident occurred and for any concern this may cause you. We value your trust and confidence in us and look forward to continuing to serve you. If you have questions about the incident, please call the dedicated call center at 1-855-604-1852, Monday through Friday, between 9:00 a.m. and 9:00 p.m. Eastern Time.
