Executive Summary

The incident impacting 1.4 million patients at Radiology Associates of Richmond in Virginia represents a significant cybersecurity breach in the healthcare sector. Forensic investigations have determined that during the period from January 10, 2025 until February 5, 2025, unauthorized actors exploited vulnerabilities in remote access systems to compromise personal identifying information, including patient names, dates of birth, mailing addresses, and partial social security numbers. The attackers, who did not access financial data or medical imaging files, capitalized on inadequacies in existing remote connectivity protocols, a method that aligns with known exploitation techniques such as MITRE ATT&CK techniques T1210 (Exploitation of Remote Services) and MITRE ATT&CK techniques T1078 (Valid Accounts). The breach was quickly detected when unusual network activity was observed on February 10, 2025, and subsequent notifications were made to state and federal regulators and law enforcement by Radiology Associates of Richmond. This report draws on verified sources including SecurityWeek (February 15, 2025 - https://www.securityweek.com/1-4-million-affected-by-data-breach-at-virginia-radiology-practice/), HIPAA Journal (February 17, 2025 - https://www.hipaajournal.com/cyberattack-medical-imaging-provider-1-4-million-patients/), Security Affairs (February 16, 2025 - https://securityaffairs.com/180128/data-breach/radiology-associates-of-richmond-data-breach-impacts-1-4-million-people.html), and WRIC (February 18, 2025 - https://www.wric.com/news/virginia-news/more-than-1-4-million-virginians-affected-in-radiology-associates-of-richmond-data-breach/). The breach is a reminder of the critical need for robust cybersecurity protocols in healthcare environments, specifically regarding remote access systems. The ensuing regulatory and law enforcement responses have underscored the necessity for continuous vulnerability management and comprehensive defense-in-depth strategies across similar organizations. We invite further inquiries at ops@rescana.com.

Technical Information

The data breach at Radiology Associates of Richmond was principally facilitated by the exploitation of vulnerabilities in remote access mechanisms that allowed unauthorized actors to gain entry into sensitive databases. Forensic analyses indicate that the attackers employed techniques comparable to MITRE ATT&CK techniques T1210 and MITRE ATT&CK techniques T1078, wherein remote services were exploited and legitimate credentials were abused to bypass network defenses. The technical investigation reveals that the underlying vulnerability was rooted in misconfigured remote access protocols combined with insufficient patch management for known security flaws. During the attack window from January 10, 2025 to February 5, 2025, the intruders managed to maneuver through the perimeter defenses by leveraging these weak points, thereby establishing unauthorized access into systems storing non-financial personal data. The compromised data consisted of personal identifiers – names, dates of birth, mailing addresses, and partial social security numbers – and the breach did not extend to more sensitive financial data or proprietary imaging files. The forensic evidence corroborates that the attackers did not deploy any distinct malware family or use advanced persistent threat (APT) tools beyond exploiting system vulnerabilities to extract relevant data. This observation aligns with earlier trends in the healthcare sector where remote access vulnerabilities have been systematically targeted. In addition to remote protocol weaknesses, inadequate real-time monitoring of network traffic and delayed patch cycles were identified as contributing factors to the breach. These technical shortcomings allowed the threat actors to operate in a relatively stealthy manner before the anomaly was detected on February 10, 2025. Given the sophistication of modern cyberattacks, it is essential that healthcare providers implement rigorous security controls, including enhanced intrusion detection systems (IDS) and holistic endpoint security solutions, to safeguard sensitive patient data. The technical indicators and command and control (C2) signatures observed in this incident reflect both opportunistic threat activity and premeditated exploitation against outdated remote access configurations. This detailed technical information is supported by consistent reports from SecurityWeek, HIPAA Journal, and Security Affairs, all providing high-confidence evidence and verified incident timelines.

Affected Versions & Timeline

The incident timeline for the Radiology Associates of Richmond data breach commenced with the initial unauthorized access that took place on January 10, 2025 and continued until February 5, 2025. Forensic investigations have conclusively determined this window as the critical period during which compromised data was exfiltrated from personal records. The timeline includes prompt detection; unusual network activity was first observed on February 10, 2025, which then led to immediate breach analysis and forensic investigation. By February 12, 2025, Radiology Associates of Richmond reached out to state regulators, and notifications were sent to federal oversight bodies, including the U.S. Department of Health and Human Services and law enforcement agencies, on February 13, 2025. An official disclosure by Radiology Associates of Richmond was issued on February 14, 2025, a date that is now associated with the public acknowledgement of the breach. Subsequent detailed reports were published by SecurityWeek (February 15, 2025), Security Affairs (February 16, 2025), HIPAA Journal (February 17, 2025), and WRIC (February 18, 2025). This consolidated timeline emphasizes that while the breach window extended for nearly one month, the response cycle was rapid enough to enable prompt notification and mobilization of regulatory and investigative measures, albeit after initial detection. The timeline thus reflects both operational deficiencies in early threat detection and the subsequent improvements in incident response efforts that were necessary to curtail further risks.

Threat Activity

The threat actors behind the breach at Radiology Associates of Richmond demonstrated a focused methodology that took advantage of remote access vulnerabilities. The exploitation path involved manipulating weak configurations and inadequate security controls rather than employing overtly elaborate malware or targeted spear-phishing campaigns. In detailing the threat activity, it has been observed that the attackers relied heavily on exploiting known weaknesses in the remote access systems, a tactic that allowed them to operate under the guise of legitimate traffic. This type of attack, largely based on well-known vulnerabilities, highlights a broader trend in the healthcare sector where adversaries continue to target outdated systems by abusing misconfigured access points. The threat actors appeared methodical and likely had prior knowledge of the internal network architecture, as suggested by the ability to focus on personal identifier data without impacting financial or imaging systems. Their use of standard techniques aligned with MITRE ATT&CK techniques T1210 and MITRE ATT&CK techniques T1078 indicates an opportunistic approach supplemented by specific targeting of security misconfigurations. This incident is a clear example of sector-specific threat dynamics in which remote connectivity weaknesses are exploited to compromise sensitive patient data. The comprehensive attribution and analysis were facilitated by cross-referencing multiple primary sources and reflect that threat activity in this incident was executed with an intent to harvest data rather than to disrupt core clinical operations. Industry experts have noted that such tactics, while not unprecedented, require an immediate and concerted effort to address systemic vulnerabilities to prevent further exploitation across similar healthcare organizations.

Mitigation & Workarounds

Mitigation of the vulnerabilities exploited during the Radiology Associates of Richmond breach must be addressed with a multi-layered strategy that prioritizes immediate remediation of the remote access weaknesses as critical, while also implementing additional measures at high, medium, and low levels. On a critical level, organizations in the healthcare sector should immediately enforce stringent access control policies and mandate the use of multi-factor authentication (MFA) for all remote access points, while also ensuring that all remote access software and firmware are up-to-date. On a high priority, it is imperative to deploy continuous network monitoring solutions that can detect anomalous activity in real-time and trigger incident response protocols. Additionally, a high priority is to review and update the security configurations of all remote access systems by employing best practice guidelines such as those provided by the National Institute of Standards and Technology (NIST). On a medium level, routine penetration testing and vulnerability scanning should be scheduled to continuously monitor and evaluate the security posture of healthcare infrastructures; this is critical in detecting any inadvertent security misconfigurations or emerging vulnerabilities. Furthermore, medium-risk mitigations include conducting specialized training sessions for IT staff to ensure they are prepared to identify signs of sophisticated intrusions and to implement swift countermeasures when necessary. On a low priority, updating internal policies regarding third-party vendor access and implementing least-privilege access models should be considered to further reduce potential lateral movement within networks in the event of a breach. Overall, these layered recommendations are backed by forensic evidence from the incident and from high-confidence outlets such as SecurityWeek, HIPAA Journal, and Security Affairs, and are intended to provide comprehensive guidance that not only addresses the immediate breach but also reinforces the overall cybersecurity posture in the healthcare sector.

References

The information presented in this advisory report is substantiated by detailed analyses from multiple verified sources. The breach timeline and technical assessments are drawn from SecurityWeek (Verified February 15, 2025 - https://www.securityweek.com/1-4-million-affected-by-data-breach-at-virginia-radiology-practice/), HIPAA Journal (Verified February 17, 2025 - https://www.hipaajournal.com/cyberattack-medical-imaging-provider-1-4-million-patients/), Security Affairs (Verified February 16, 2025 - https://securityaffairs.com/180128/data-breach/radiology-associates-of-richmond-data-breach-impacts-1-4-million-people.html), and WRIC (Verified February 18, 2025 - https://www.wric.com/news/virginia-news/more-than-1-4-million-virginians-affected-in-radiology-associates-of-richmond-data-breach/). Each source provides corroborated evidence and timelines that solidify the forensic conclusions and technical analyses discussed herein. Detailed references to methods employed in the intrusion and subsequent mitigations are also documented in these resources, ensuring that the advisory is based on high-quality, verified evidence.

About Rescana

Rescana is a technical security firm specializing in incident analysis and risk management within critical sectors such as healthcare. Our expertise lies in rapidly identifying vulnerabilities and providing actionable remediation guidance based on comprehensive forensic investigations. Our Third-Party Risk Management (TPRM) platform supports organizations in evaluating and managing the security risks associated with external vendors and service providers, ensuring continuous compliance with evolving cybersecurity standards. In the context of the recent incident affecting Radiology Associates of Richmond, Rescana’s capabilities can assist in identifying security gaps, establishing robust remote access safeguards, and implementing a multi-tiered defense strategy that is both scalable and adaptable to emerging cyber threats. We remain available to clarify any aspects of this advisory and to help organizations strengthen their cybersecurity posture. For further inquiries, we are happy to answer questions at ops@rescana.com.