Scroll Top

HIPAA Violations = Federal Action Against MRI Provider

HIPAA Violations = Federal Action Against MRI Provider
pexels-tara-winstead-7723513
0 0
By Jeffrey Jones Security Blog May 21, 2025

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a settlement with Vision Upright MRI, a small healthcare provider in California, following serious HIPAA violations involving the exposure of over 21,000 patients’ medical images. The breach stemmed from an unsecured Picture Archiving and Communication System (PACS) server that stored electronic protected health information (ePHI).

OCR launched its investigation after learning of unauthorized access to the server by a third party. During the review, it was revealed that Vision Upright MRI had never conducted a HIPAA risk analysis, a core requirement under the HIPAA Security Rule. The provider also failed to notify the 21,778 affected individuals within the 60-day timeframe mandated by the Breach Notification Rule.

To resolve these violations, Vision Upright MRI agreed to pay $25,000 and adopt a Corrective Action Plan, which includes two years of federal oversight. Key steps required under the plan include:

  • Issuing proper breach notifications to individuals, HHS, and the media
  • Conducting and submitting a comprehensive risk analysis covering all systems that store or transmit ePHI
  • Implementing a risk management plan to address vulnerabilities
  • Creating and updating HIPAA-compliant policies and procedures
  • Training all staff with access to ePHI

OCR emphasized that cybersecurity is not just a large-provider problem. “Small providers also must conduct accurate and thorough risk analyses,” said OCR Acting Director Anthony Archeval.

This case underscores the need for all HIPAA-covered entities—regardless of size—to take proactive measures to secure patient data. OCR recommends identifying where ePHI resides, encrypting data, enforcing access controls, and providing ongoing HIPAA training.

For organizations handling protected health information, failure to comply with HIPAA can lead not only to fines but also to reputational damage and federal scrutiny. Don’t wait for a breach to act.

Read more about the settlement here:
Vision Upright MRI HIPAA Settlement

0

image sources

Jeffrey Jones / About Author
Jeff Jones is a Cyber Security Architect and Ethical Hacker for Topgallant Partners. He has been in Data Communications for over 35 years. He responsible for all day-to-day operations, technical consulting, and security design for Topgallant.

His expertise is in Security Program Design, Security Risk Analysis and Assessment and Cyber Security Testing to include Penetration Testing, Vulnerability Testing, Social Engineering, Phishing, Wi-Fi Exploitations, Password Cracking, Man-in-the Middle Attacks and Web Application Hacking.

He has a M.A. in Computer Resources Management from Webster University and a B.A. in Journalism from Purdue University. He is also a terrible golfer.
More posts by Jeffrey Jones

Leave a comment

Topgallant Partners
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required