Doctors Imaging Group (DIG) recently confirmed a cyber incident that may have exposed the personal and health information of 171,862 patients and individuals connected to the organization. The attack involved unauthorized access to DIG’s systems between November 5 and November 11, 2024.
What happened
DIG detected suspicious activity within its computer network in November 2024, which led to an immediate investigation. The review revealed that unknown actors gained access to the network and copied files containing personal and medical data. After months of assessment, DIG completed its file review on August 29, 2025, confirming the potential scope of exposure.
The healthcare provider responded by securing its systems, engaging federal law enforcement, and reviewing internal cybersecurity policies. DIG is also implementing new security tools to strengthen defenses. While the company has not seen evidence of fraud or misuse, the exposure of sensitive information presents risks for affected individuals.
Going deeper
The compromised records may have contained names, phone numbers, health information, medical records, and other personally identifiable information (PII). Such information disclosures are especially onerous within the healthcare sector since personal and medical documents are extremely valuable for cybercriminals.
The information is frequently employed for identity theft, insurance fraud, and other forms of harmful utilization. To help safeguard those affected, DIG is making available free identity monitoring services via Kroll, offering an instrument for individuals to track potential misuse of their data.
Read also: What is the difference between PII and PHI?
What was said
The DIG public notice states, “In general, individuals should remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and to detect errors. Suspicious activity should be promptly reported to relevant parties, including an insurance company, healthcare provider, and/or financial institution.”
In the know
The Doctors Imaging Group incident is part of a broader trend where imaging providers and smaller healthcare organizations face increasingly severe consequences from cybersecurity failures.
The recent case of Vision Upright MRI, a small California-based radiology provider, illustrates these risks vividly. The breach exposed the protected health information (PHI) of over 21,000 individuals after attackers gained access to its medical imaging server.
While the organization paid a relatively modest fine of $5,000, the hidden costs were far greater. The settlement mandated two years of monitoring by the Office for Civil Rights (OCR) and comprehensive compliance overhauls.
For comparison, the average cost of a healthcare data breach reached $11 million in 2025, up from $9.8 million, making healthcare the most expensive industry for data breaches for 14 consecutive years. Class action settlements, such as Solara Medical Supplies’ $9.76 million case, underscore the escalating financial exposure.
In addition to financial penalties, breaches disrupt daily operations and strain already limited staff resources. Cyberattacks can collapse critical infrastructure, forcing providers to resort to paper records, delay care, and reschedule appointments. At small practices, diversion of IT and compliance teams to audit and recovery work raises pressure, and pressure generally forces personnel to bypass secure systems in the name of efficiency, raising risk further.
At the same time, release of medical information erodes patient trust and violates the physician–patient relationship. OCR Director Melanie Fontes Rainer has quoted that patients must be able to trust that their data is safe to feel safe in receiving treatment. The Vision Upright MRI case demonstrates that even small imaging groups, routinely working as business partners, are not exempt from the same regulative and reputational scrutiny as large health systems.
Furthermore, cyber criminals are targeting these smaller institutions more often because they lack the big hospital's resources, but the patient care and legal ramifications are no less dire.
Related: What small healthcare practices get wrong about HIPAA and email security
The bottom line
Even if DIG has tried to safeguard its network and provide patients with resources, the breach shows the imminent danger of healthcare cyberattacks. Patients must be vigilant, monitoring accounts, checking credit reports, and enrolling in the identity monitoring products offered.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
What are the penalties for violating HIPAA?
As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability. Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.
