Northeast Radiology, P.C. Faces Scrutiny for Potential Security Rule Violation

On April 10, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C.. This settlement is the 6th enforcement action under OCR’s Risk Analysis Initiative. The penalty? $350K.

The Breach that Launched the Investigation

In March 2020, Northeast Radiology, P.C. (NERAD) filed a breach report with the OCR. In its report, NERAD noted that an unauthorized party had access to its Picture Archiving and Communication System (PACS) between April 2019 and January 2020. The PACS storing radiology images was inadequately protected against potential risks and vulnerabilities, exposing the electronic protected health information (ePHI) of 298,532 patients.

The Investigation and OCR Risk Analysis Settlement

While investigating NERAD, OCR found that NERAD did not conduct an accurate and thorough risk analysis, thus leaving ePHI vulnerable to breaches. 

“A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it,” said OCR Acting Director Anthony Archeval. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”

To resolve the potential HIPAA Security Rule violation, NERAD agreed to pay $350,000, implement a corrective action plan, and is subject to two years OCR monitoring. 

Under these terms, NERAD must:

  • Conduct an accurate and thorough risk analysis
  • Develop and implement a risk management 
  • Develop and implement a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
  • Develop written policies and procedures to comply with the HIPAA Rules
  • Augment its existing HIPAA and security training program to all staff who have access to PHI

Need Help Navigating Compliance?

If you’re struggling to keep up with HIPAA and risk analysis requirements, Compliancy Group can help.

Our platform simplifies compliance—ensuring you’re audit-ready, breach-prepared, and patient-trust-worthy. With tools to manage policies, procedures, training, and risk assessments, you’ll spend less time stressing about breaches and more time focusing on care.

Learn how we can help you stay secure and compliant in 2025.

Never Fail an Audit