Radiology Associates of Richmond Faces Investigation After 2025 Data Breach Exposes 266,000 Patient Records

Radiology Associates of Richmond (RAR) operates imaging centers across central Virginia, providing X‑ray, CT, MRI, and interventional services to a large patient base. The practice stores extensive protected health information (PHI) required for diagnosis and billing. On or around July 25, 2025, an unauthorized actor gained access to RAR’s network and copied data belonging to current and former patients. The organization did not send individual notice letters until May 21, 2026, nearly ten months after the intrusion was discovered.

- Approximately 266,000 individuals had personal identifiers such as name, date of birth, address, and medical details potentially compromised. - The breach was identified internally; RAR has not publicly disclosed the initial attack vector or whether malware was deployed. - Schubert Jonckheer & Kolbe LLP began a legal investigation after receiving reports of the exposure, focusing on whether RAR failed to implement reasonable safeguards under HIPAA and state privacy laws. - No ransom note or public extortion demand has been reported, suggesting the actor may have exfiltrated data for illicit sale or identity theft.

The incident highlights the continued risk to healthcare providers that retain large volumes of PHI. Delayed notification extends the window during which affected individuals could suffer fraud or medical identity theft. Regulatory scrutiny may increase, potentially resulting in fines under HIPAA’s Breach Notification Rule or civil settlements. Patients should monitor credit reports and consider placing fraud alerts, while RAR must improve detection and response capabilities to avoid recurrence.

- Enforce multi‑factor authentication on all remote access points and review privileged account usage (MITRE ATT&CK T1078). - Apply the latest patches to VPN and web‑facing services; monitor for exploitation of known vulnerabilities such as CVE‑2023‑28252 (Citrix ADC) and CVE‑2022‑22965 (Spring4Shell) as representative examples. - Deploy network segmentation to isolate PHI servers from general IT infrastructure, limiting lateral movement (T1021). - Enable centralized logging with alerts for anomalous login attempts and large data transfers (T1041). - Conduct regular phishing simulations and endpoint detection and response (EDR) tuning to catch credential theft early. - Review and update incident response plans to ensure notification timelines meet the 60‑day requirement under HIPAA.