Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Vision Upright MRI fined $25K

Posted bySuze Shaffer
Missing risks can tumble your organization

OCR Settlement with Vision Upright MRI: The Risk of Unsecured PACS Servers

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI LLC (VUM) after finding that the medical imaging provider exposed patient information online through an unsecured Picture Archiving and Communication System (PACS) server.

This case serves as another reminder that failing to secure medical imaging systems or perform a HIPAA compliant risk analysis can result in costly investigations, corrective action plans, and long-term monitoring by federal regulators.

How the Breach Happened

VUM operated a PACS server used to store and share diagnostic images such as MRIs, CT scans, and X-rays. OCR received reports that this server allowed public access to patients’ protected health information (PHI), including images, metadata, and identifying details.

On December 1, 2020, OCR notified VUM of a formal investigation into potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. The inquiry focused on whether VUM had conducted proper risk assessments, secured its systems, and met notification deadlines required after discovering a breach.

OCR’s Findings

OCR determined that Vision Upright MRI:

  • Failed to conduct a HIPAA risk analysis — VUM had never performed an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), violating 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Failed to issue timely breach notifications — The organization did not notify affected individuals within 60 days of discovering the exposure, violating 45 C.F.R. § 164.404(a).

These lapses demonstrated that VUM lacked essential safeguards and incident-response procedures required under the HIPAA Security Rule.

Settlement Terms and Corrective Actions

As part of the settlement, VUM agreed to pay the Resolution Amount and implement a comprehensive Corrective Action Plan (CAP) overseen by OCR. The CAP requires the practice to:

  • Conduct a full organization-wide risk analysis, including vulnerability scans and penetration testing.
  • Develop a risk management plan to mitigate identified security gaps.
  • Update and distribute HIPAA Privacy, Security, and Breach Notification policies to all workforce members.
  • Provide annual HIPAA training for all staff with access to ePHI.
  • Investigate and report workforce noncompliance events on a quarterly basis.
  • Submit annual compliance reports to OCR and retain related documentation for six years.

This agreement is binding on VUM and its successors, emphasizing OCR’s expectation that covered entities maintain compliance over time—not just during the settlement period.

Lessons for Healthcare Providers and Business Associates

The VUM case highlights several key takeaways for any healthcare organization that handles PHI:

  1. Unsecured PACS servers are a known risk.
    Imaging systems frequently store and transmit PHI yet are often overlooked in IT risk analyses. Ensure every device and data repository is included in your risk inventory and tested for vulnerabilities.
  2. Risk analysis is not optional.
    HIPAA requires ongoing, accurate, and thorough assessments. This is not a one-time checkbox. Document each risk analysis, update it annually, and link findings directly to your risk-management plan.
  3. Breach notifications must be timely.
    Delays beyond 60 days can lead to enforcement actions. Have an incident-response plan ready so you can notify affected individuals and OCR within the required window.
  4. Policies and training are the front line of compliance.
    Workforce awareness is critical. Staff who access PHI must understand how to handle data securely and report potential issues immediately.
  5. OCR oversight can last years.
    Corrective Action Plans often require multi-year reporting and documentation retention. Establishing compliance habits early reduces disruption and risk later.

Summary

This settlement underscores a critical lesson: A thorough, documented risk analysis, an active risk management plan, and appropriate policies and procedures are essential in preventing data breaches. This process is long and grueling and could have easily been avoided.

HIPAA Keeper™ by Aris Medical Solutions simplifies compliance with:

  • Built-in risk analysis and management plans
  • Customizable policies and procedures
  • Workforce training tracking and certificates
  • Secure Breach Notification and Incident Response forms

Stay ahead of OCR investigations—protect your patients, your reputation, and your practice.

Don’t leave patient data exposed.

Schedule your HIPAA Risk Analysis with Aris Medical Solutions today.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Change Healthcare Cyberattack

Change Healthcare Cyberattack

March 13, 2024
Insider hacker

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

May 28, 2025
©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC