Radiology Associates of Richmond Breach Exposes 266,183 Patients, Triggers Class Action Inquiry

Radiology Associates of Richmond (RAR) operates a single office in Virginia and partners with seven hospitals and three imaging centers in the Richmond area. The practice disclosed the breach on its website after engaging cybersecurity experts to investigate suspicious activity. A prior incident in 2024 affected more than 1.4 million people, highlighting a pattern of security challenges for the organization.

- The investigation, completed on April 6 2026, determined that files containing protected health information were accessed without authorization on or around July 25 2025. - Exposed data may include names, Social Security numbers, medical records, financial account codes, and credit or debit card details. - RAR began notifying affected individuals on May 21 2026 using the contact information on file. - The breach prompted attorneys from ClassAction.org to seek input from potentially harmed patients for a possible class‑action lawsuit.

For patients, the exposure raises risks of identity theft, medical fraud, and financial misuse. For RAR, the incident could lead to regulatory scrutiny under HIPAA, potential civil penalties, and reputational damage. The ongoing class‑action review may result in monetary compensation for affected individuals and compel the provider to strengthen its safeguards.

Defenders can reduce the likelihood of similar incidents by adopting these controls: - Enforce multi‑factor authentication on all remote access points and privileged accounts (MITRE ATT&CK T1078). - Segment networks containing electronic health records and monitor for anomalous file access using SIEM rules tuned to T1059 (Command‑Line Interpreter) and T1021 (Remote Services). - Apply the latest security patches for VPN and email gateways; review CVE‑2024‑21312 (example) if applicable to your stack. - Conduct regular phishing simulations and user training to reduce credential theft likelihood. - Maintain an up‑to‑date incident response plan that includes timely forensic engagement and patient notification within regulatory windows.

Monitor the outcome of the class‑action investigation, any HIPAA enforcement actions by HHS, and RAR’s public remediation roadmap over the next six months.