The Lexington, Kentucky-based radiological imaging provider recently provided a notice of a data breach to the Vermont Attorney General.
According to a website post by Central Kentucky Radiology (CKR), the organization first became aware of a network disruption on October 18th, 2024. Once the disruption was discovered, CKR immediately began an investigation that determined an unauthorized actor had accessed and copied files between October 16th and October 18th, 2024.
On May 7th, CKR completed a review to determine what information was impacted. Data accessed or copied included names, addresses, Social Security numbers, dates of birth, dates of medical services, and medical service charges. Currently, CKR does not have any evidence that information has been misused.
According to CKR’s report to the Department of Health and Human Services, the breach impacted 166,953 individuals.
CKR stated they will or have been sending letters to impacted individuals for whom they have contact information. The organization is also providing complimentary credit monitoring services to those whose Social Security number or payment card information was involved in the breach.
Only those who have an active address with CKR will receive a letter regarding the breach. Considering that the breach is impacting over 100,000 individuals, it is likely that some may be unaware that they were impacted. When individuals don’t know they have been the victim of a breach, it can be more difficult to mitigate an incident; for instance, people may not know to monitor their credit report or be wary of spam calls. Timely notification of data breaches is exceptionally important, but can be a challenge if organizations don’t have accurate contact information. To avoid this, healthcare companies should regularly confirm contact information.
An organization may need to notify the Vermont Attorney General if they have impacted patients who are Vermont residents. Some states, namely Vermont and Maine, require any organization in the United States that impacts their residents to report the data breach to the Attorney General.
Every state must abide by the federal regulation governing healthcare privacy, HIPAA, but some states also have additional privacy laws. Organizations must generally follow whichever laws are more stringent. In most cases, one state’s law will only apply to organizations in that state; however, if residents from one state travel to another, the second state may also have to follow the regulations of the first.