A Florida radiology group is notifying patients nearly a year after hackers accessed and stole sensitive health data.
What happened
Doctors Imaging Group, a radiology practice with locations in Palatka and Gainesville, Florida, has confirmed that a cybersecurity breach in November 2024 exposed the personal and medical information of over 171,000 individuals. The breach, which occurred between November 5 and 11, 2024, was not disclosed until nearly a year later, following the completion of a detailed investigation in August 2025.
The organization notified the U.S. Department of Health and Human Services (HHS) of the breach and began contacting impacted individuals. Stolen data includes names, addresses, dates of birth, Social Security numbers, financial and patient account numbers, medical record numbers, treatment history, insurance details, and medical claims information.
Going deeper
Doctors Imaging Group has not confirmed whether the attack involved ransomware, and no known threat actor has publicly claimed responsibility. The breach notice posted to the practice’s website does not provide technical details about how the attackers gained access or what security measures were in place at the time.
While the number of affected individuals is large, similar breaches in the healthcare sector, such as those recently reported by Medical Associates of Brevard, Wayne Memorial Hospital, and Healthcare Services Group, have impacted even larger populations. These incidents reflect ongoing vulnerabilities in healthcare data security, especially among smaller or mid-sized providers.
What was said
Doctors Imaging Group stated it has taken steps to improve its cybersecurity posture but did not elaborate on the measures taken since the incident. The organization completed its review of the affected data in August 2025, indicating that a lengthy analysis process delayed notification to patients.
As of early October, there is no evidence that the stolen data has been published or used in further criminal activity, though the risk remains due to the sensitive nature of the compromised information.
The big picture
According to Paubox’s 2025 Mid-Year Email Breach Report, smaller and mid-sized healthcare providers continue to face some of the highest cybersecurity risks in the industry. The report found that limited in-house resources and heavy reliance on third-party vendors leave these organizations more exposed to email-based and network intrusions. Breaches involving tens or even hundreds of thousands of records are becoming increasingly common, showing that the threat extends well beyond large hospital systems.
FAQs
Why was there such a long delay in notifying affected individuals?
Organizations often take months to review impacted files and confirm the individuals affected. In this case, the investigation concluded in August 2025, nearly nine months after the breach.
Is there any evidence that the stolen data has been misused?
As of now, no public reports indicate misuse of the stolen data, but given the sensitivity of the information, affected individuals are advised to monitor their financial and medical accounts for suspicious activity.
What types of healthcare entities are most vulnerable to breaches?
Smaller or mid-sized providers like radiology groups often face resource constraints that limit their ability to implement advanced cybersecurity defenses, making them frequent targets.
Are healthcare organizations legally required to report data breaches?
Yes. Under HIPAA, covered entities must report breaches affecting 500 or more individuals to HHS and notify affected individuals without unreasonable delay.
What steps can patients take if their information was involved in a breach?
Patients can consider placing fraud alerts, monitoring credit reports, requesting explanations of medical benefits (EOBs) from their insurer, and using any credit monitoring services offered by the breached organization.
Farah Amod
