The U.S. Department of Health and Human Services has reached a $350,000 settlement with Northeast Radiology over HIPAA Security Rule violations following a breach that exposed the electronically protected health information of nearly 300,000 patients.
On the 10th of April, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD) following a breach involving the protected health information of nearly 300,000 individuals. The settlement stems from violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, which is linked to a security lapse on NERAD’s Picture Archiving and Communication System (PACS), a server used to store and access radiology images.
According to a breach report submitted by NERAD in March 2020, unauthorized individuals accessed unsecured electronic protected health information (ePHI) between April 2019 and January 2020. The OCR investigation concluded that NERAD had not conducted a proper risk analysis, a key requirement under the HIPAA Security Rule designed to safeguard ePHI.
See also:
As part of the resolution agreement, NERAD will pay $350,000 and adopt a comprehensive corrective action plan that will be monitored by the OCR for the next two years. This includes:
In other news: The proposed removal of limits on HIPAA fines
OCR Acting Director Anthony Archeval emphasized the need for risk analysis in maintaining HIPAA compliance: “A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it. A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”
The resolution agreement further outlines the obligations and terms Northeast Radiology, P.C. (NERAD) has committed to under the settlement:
Finally, the agreement includes a provision tolling the statute of limitations to ensure that potential civil monetary penalties related to the covered conduct can still be pursued if NERAD breaches the agreement during the monitoring period.
The HIPAA Security Rule mandates that covered entities and their business associates implement administrative, physical, and technical safeguards to protect ePHI. One of the core requirements—the “Risk Analysis” provision—requires organizations to assess risks and vulnerabilities to ePHI across their systems. OCR’s investigation revealed that NERAD failed to carry out this essential analysis, leaving the PACS server vulnerable to unauthorized access.
This enforcement marks the sixth action in OCR’s ongoing Risk Analysis Initiative, which aims to ensure compliance with foundational cybersecurity requirements in health care.
The enforcement action against Northeast Radiology sends a clear message to all HIPAA covered entities and business associates: noncompliance with the Security Rule, particularly the Risk Analysis provision, can have serious financial and reputational consequences. It also stresses OCR’s ongoing commitment to strengthening cybersecurity in healthcare and protecting patient privacy in an evolving digital landscape.
Related: Higher HIPAA penalties announced
Failure to comply with HIPAA can lead to civil monetary penalties, corrective action plans, reputational damage, and in some cases, criminal charges. The Office for Civil Rights (OCR) enforces HIPAA and investigates reported violations and breaches.
HIPAA applies to covered entities, including health plans, healthcare clearinghouses, and most healthcare providers, as well as their business associates who handle protected health information on their behalf.
A Corrective Action Plan is a set of steps that an organization agrees to implement to address HIPAA compliance deficiencies identified during an OCR investigation. CAPs often include measures like updated policies, staff training, and regular audits.
Read also: How to create an effective corrective action plan