Executive Summary
Radiology Associates of Richmond (RAR) experienced a significant data breach affecting approximately 266,000 individuals. The breach resulted in unauthorized access to sensitive information, including protected health information (PHI), personally identifiable information (PII), and financial data. The incident was discovered on or about July 25, 2025, with forensic investigations confirming that files containing PHI were acquired without authorization. Notification letters to affected individuals began on May 21, 2026. There is a timeline discrepancy between RAR’s official notice and regulatory filings regarding the initial breach window, but all sources confirm the scale and sensitivity of the data compromised. As of the latest disclosures, there is no evidence of misuse of the compromised data, nor has any specific threat actor or malware been publicly identified. The breach has significant implications for healthcare sector data security, regulatory compliance, and patient trust. All information in this summary is based on official disclosures and regulatory filings as referenced below.
Technical Information
The breach at Radiology Associates of Richmond involved unauthorized access to the organization’s network environment, resulting in the acquisition of files containing PHI and other sensitive data. The incident was discovered on or about July 25, 2025, according to RAR’s official notice (https://rarichmond.com/notice-of-data-security-incident/). However, regulatory filings indicate the breach may have occurred between April 2, 2024, and April 6, 2024, with discovery on May 2, 2025 (https://www.claimdepot.com/data-breach/radiology-associates-of-richmond). This discrepancy in the timeline is noted, but all sources agree on the notification date to affected individuals as May 21, 2026.
The types of data compromised include names, Social Security numbers, dates of birth, addresses, government-issued identification numbers, medical information, health insurance information, and financial account information, including credit and debit account details. The breach was reported to the U.S. Department of Health and Human Services and multiple state attorneys general, reflecting the regulatory significance of the incident.
No technical indicators of compromise (IOCs), malware samples, or specific attack tools have been disclosed in any public or regulatory filings. The nature of the breach is described as a network intrusion with unauthorized data acquisition. Forensic investigation and manual document review were conducted to determine the scope and impact of the breach. There is no evidence of ransomware deployment, phishing, or specific malware involvement in the public record as of this report.
Sector pattern analysis indicates that healthcare organizations are frequent targets for attacks involving phishing (MITRE ATT&CK T1566), exploitation of remote services (T1190), or compromised credentials (T1078). Data exfiltration in such incidents is often performed using techniques such as "Exfiltration Over Web Service" (T1567) or "Exfiltration Over C2 Channel" (T1041). However, in this case, there is no direct evidence confirming the use of these techniques, and all technical inferences are based on sector-wide patterns rather than incident-specific disclosures.
No threat actor group has claimed responsibility for the breach, and no law enforcement or security firm has attributed the attack to a known group. There are no published technical indicators, such as malware hashes, command-and-control infrastructure, or ransom notes, associated with this incident. The absence of such evidence precludes attribution to any specific threat actor or malware family.
The breach exposed a large volume of sensitive data, consistent with high-value targeting in the healthcare sector. Regulatory filings and sector advisories highlight the vulnerability of healthcare organizations to data theft and ransomware due to legacy systems, the high value of health data, and regulatory pressures. The incident underscores the importance of robust security controls, timely detection, and comprehensive incident response in healthcare environments.
Affected Versions & Timeline
The breach affected the network environment of Radiology Associates of Richmond. There is no evidence that specific software versions, products, or tools were targeted or exploited, as no technical details have been disclosed regarding the attack vector.
The timeline of the incident, based on available sources, is as follows: Regulatory filings indicate the breach occurred between April 2, 2024, and April 6, 2024, with discovery on May 2, 2025. RAR’s official notice states that unauthorized access was discovered on or about July 25, 2025. Forensic investigation and manual document review concluded on or about April 6, 2026, confirming the unauthorized acquisition of files containing PHI. Notification letters to affected individuals began on May 21, 2026. The breach was disclosed to the U.S. Department of Health and Human Services on July 1, 2025, and reported to multiple state attorneys general.
The affected data includes PHI, PII, and financial account information for approximately 266,000 individuals. The breach has sector-wide implications for regulatory compliance, particularly with the Health Insurance Portability and Accountability Act (HIPAA) and state notification laws.
Threat Activity
No specific threat activity has been publicly attributed to this breach. There is no evidence of ransomware deployment, extortion, or public data leaks associated with the incident. No threat actor group has claimed responsibility, and no technical indicators have been published by law enforcement or security firms.
Sector pattern analysis suggests that healthcare organizations are frequent targets for ransomware and data theft operations, often involving phishing, exploitation of remote services, or compromised credentials. However, in this case, there is no direct evidence linking the breach to any specific threat actor, malware family, or attack technique.
The absence of technical details limits the ability to map the attack to specific tactics, techniques, and procedures (TTPs) beyond general sector patterns. The breach is consistent with large-scale data theft operations targeting healthcare organizations, but attribution remains speculative in the absence of concrete evidence.
Mitigation & Workarounds
Critical: Organizations in the healthcare sector should immediately review and enhance their network security controls, focusing on the protection of PHI, PII, and financial data. This includes implementing multi-factor authentication, regular patch management, and network segmentation to limit lateral movement in the event of a breach.
High: Conduct regular security awareness training for all staff to reduce the risk of phishing and social engineering attacks. Ensure that incident response plans are up to date and tested regularly, with clear procedures for containment, investigation, and notification.
Medium: Monitor for unusual network activity and implement robust logging and alerting to detect unauthorized access. Regularly review access controls and permissions to ensure that only authorized personnel have access to sensitive data.
Low: Encourage affected individuals to remain vigilant for signs of identity theft or fraud. Provide guidance on credit monitoring, fraud alerts, and credit freezes, as recommended by RAR in their official notice.
No specific technical workarounds are available for this incident, as the attack vector and exploited vulnerabilities have not been disclosed. Organizations should follow best practices for healthcare data security and regulatory compliance.
References
https://rarichmond.com/notice-of-data-security-incident/ https://www.prnewswire.com/news-releases/privacy-alert-radiology-associates-of-richmond-under-investigation-for-data-breach-of-nearly-266-000-records-302780592.html https://www.claimdepot.com/data-breach/radiology-associates-of-richmond https://www.hhs.gov/sites/default/files/health-sector-cybersecurity-coordination-center-hc3-ransomware-trends-2023.pdf
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks across their vendor ecosystem. Our platform enables continuous monitoring of vendor security posture, supports regulatory compliance efforts, and delivers actionable insights to reduce the likelihood and impact of data breaches in complex environments. For questions or further information, please contact us at ops@rescana.com.
