A Virginia-based radiology group is notifying over a million patients after confirming unauthorized access to its systems in 2024.
What happened
Radiology Associates of Richmond (RAR) has disclosed a data breach that impacted approximately 1.42 million individuals. The incident, now ranked among the top five largest health data breaches of 2025 so far, involved unauthorized access to RAR’s network systems over a four-day period from April 2 to April 6, 2024.
RAR confirmed that the breach involved sensitive patient data but has found no evidence of misuse to date. The affected information may include names, dates of birth, email addresses, Social Security numbers, account and routing numbers, medical records, and health insurance information.
Going deeper
RAR provides imaging and diagnostic services at seven hospitals in central Virginia and operates three outpatient imaging centers. The hospitals include Chippenham Medical Center, Johnston-Willis Hospital, and several Henrico Doctors’ Hospital locations. Outpatient centers include Chesterfield Imaging Center and Appomattox Imaging Center.
The organization did not indicate when the breach was discovered but said it acted immediately to contain the threat and secure its environment. RAR engaged third-party cybersecurity experts to assess the situation and help determine the scope of compromised data.
The breach notice states that RAR has no indication that any personal information has been misused. However, several federal class action lawsuits have already been proposed in response to the incident.
What was said
RAR stated in its notice that it took prompt action once the breach was identified, including working with cybersecurity professionals and enhancing internal protections. The group has not publicly disclosed the method of attack, whether data was exfiltrated, or if a ransom demand was involved. As of now, RAR has not responded to requests for further details or clarification.
The big picture
The breach at Radiology Associates of Richmond affects over 1.4 million individuals and ranks among the largest healthcare data exposures of the year. With names, Social Security numbers, and medical records potentially involved, the incident has already prompted multiple proposed class action lawsuits. While no misuse has been reported, the scale of the breach and limited public details about how it occurred have drawn scrutiny. RAR’s delayed disclosure and lack of technical transparency indicate the ongoing challenges in breach response and communication.
FAQs
Why are radiology groups like RAR vulnerable to cyberattacks?
Radiology practices handle large volumes of detailed medical and financial data, and often have complex systems connected across multiple facilities, making them attractive and potentially easier targets for cybercriminals.
How long after the breach did RAR begin notifying patients?
While the breach occurred in April 2024, notifications and regulatory reporting became public in July 2025. The timeline between discovery and disclosure has not been specified.
What kinds of support might affected patients expect to receive?
Organizations experiencing breaches often offer credit monitoring, identity theft protection, and informational resources. RAR has not publicly confirmed what support, if any, it is providing.
What legal risks could RAR face following this breach?
RAR is already facing several proposed class action lawsuits, which could lead to financial penalties or settlements if claims of negligence or harm are substantiated in court.
Can patients take steps to protect their data following this breach?
Yes. Affected individuals can monitor their credit reports, consider placing fraud alerts or credit freezes, and remain alert for phishing or scam attempts that may use compromised personal information.
Farah Amod
