Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: Breach Notification

Vision Upright MRI fined $25K

Posted bySuze Shaffer

OCR Settlement with Vision Upright MRI: The Risk of Unsecured PACS Servers

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI LLC (VUM) after finding that the medical imaging provider exposed patient information online through an unsecured Picture Archiving and Communication System (PACS) server.

This case serves as another reminder that failing to secure medical imaging systems or perform a HIPAA compliant risk analysis can result in costly investigations, corrective action plans, and long-term monitoring by federal regulators.

How the Breach Happened

VUM operated a PACS server used to store and share diagnostic images such as MRIs, CT scans, and X-rays. OCR received reports that this server allowed public access to patients’ protected health information (PHI), including images, metadata, and identifying details.

On December 1, 2020, OCR notified VUM of a formal investigation into potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. The inquiry focused on whether VUM had conducted proper risk assessments, secured its systems, and met notification deadlines required after discovering a breach.

OCR’s Findings

OCR determined that Vision Upright MRI:

  • Failed to conduct a HIPAA risk analysis — VUM had never performed an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), violating 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Failed to issue timely breach notifications — The organization did not notify affected individuals within 60 days of discovering the exposure, violating 45 C.F.R. § 164.404(a).

These lapses demonstrated that VUM lacked essential safeguards and incident-response procedures required under the HIPAA Security Rule.

Settlement Terms and Corrective Actions

As part of the settlement, VUM agreed to pay the Resolution Amount and implement a comprehensive Corrective Action Plan (CAP) overseen by OCR. The CAP requires the practice to:

  • Conduct a full organization-wide risk analysis, including vulnerability scans and penetration testing.
  • Develop a risk management plan to mitigate identified security gaps.
  • Update and distribute HIPAA Privacy, Security, and Breach Notification policies to all workforce members.
  • Provide annual HIPAA training for all staff with access to ePHI.
  • Investigate and report workforce noncompliance events on a quarterly basis.
  • Submit annual compliance reports to OCR and retain related documentation for six years.

This agreement is binding on VUM and its successors, emphasizing OCR’s expectation that covered entities maintain compliance over time—not just during the settlement period.

Lessons for Healthcare Providers and Business Associates

The VUM case highlights several key takeaways for any healthcare organization that handles PHI:

  1. Unsecured PACS servers are a known risk.
    Imaging systems frequently store and transmit PHI yet are often overlooked in IT risk analyses. Ensure every device and data repository is included in your risk inventory and tested for vulnerabilities.
  2. Risk analysis is not optional.
    HIPAA requires ongoing, accurate, and thorough assessments. This is not a one-time checkbox. Document each risk analysis, update it annually, and link findings directly to your risk-management plan.
  3. Breach notifications must be timely.
    Delays beyond 60 days can lead to enforcement actions. Have an incident-response plan ready so you can notify affected individuals and OCR within the required window.
  4. Policies and training are the front line of compliance.
    Workforce awareness is critical. Staff who access PHI must understand how to handle data securely and report potential issues immediately.
  5. OCR oversight can last years.
    Corrective Action Plans often require multi-year reporting and documentation retention. Establishing compliance habits early reduces disruption and risk later.

Summary

This settlement underscores a critical lesson: A thorough, documented risk analysis, an active risk management plan, and appropriate policies and procedures are essential in preventing data breaches. This process is long and grueling and could have easily been avoided.

HIPAA Keeper™ by Aris Medical Solutions simplifies compliance with:

  • Built-in risk analysis and management plans
  • Customizable policies and procedures
  • Workforce training tracking and certificates
  • Secure Breach Notification and Incident Response forms

Stay ahead of OCR investigations—protect your patients, your reputation, and your practice.

Don’t leave patient data exposed.

Schedule your HIPAA Risk Analysis with Aris Medical Solutions today.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC