Cyberattack on Medical Imaging Provider Affects 1.4 Million Patients
At the start of the month, The HIPAA Journal reported on a cybersecurity incident at Radiology Associates of Richmond, a provider of medical imaging services at seven hospitals in central Virginia and multiple outpatient medical imaging facilities in the state. At the time, the extent to which patient data had been compromised had not been disclosed as the file review and investigation were ongoing.
It has now been confirmed that a huge amount of patient data was compromised in the attack. Hackers had access to its network between April 2 and April 6, 2024, and exfiltrated files containing names, dates of birth, email addresses, Social Security numbers, account numbers, routing numbers, medical information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved.
The radiology group recently notified the HHS’ Office for Civil Rights that the protected health information of 1,419,091 individuals was compromised in the incident, making this one of the top five healthcare data breaches to be reported this year. Several lawsuits have already been filed in response to the cyberattack, alleging negligence for failing to safeguard sensitive data on its network.
Florida Law Firm Reports 279,000-Record Data Breach
Zumpano Patricios, P.A., a Florida law firm that helps healthcare providers resolve disputes with health insurance companies over payment for medical services, has announced a major data breach affecting 279,275 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A network intrusion was detected by the law firm on or around May 6, 2025. Immediate and aggressive action was taken to prevent further unauthorized access, and third-party digital forensics experts were engaged to investigate the activity. The forensic investigation confirmed that an unauthorized third party had access to parts of its network where patient data was stored and may have copied files from the network. At the time of issuing notification letters, it had not been determined when the cyberattack began.
The exposed data had been provided to the firm by its healthcare provider clients in connection with payment disputes that the law firm was trying to resolve. The data was generally contained in spreadsheets and included personal information such as first and last names, provider names, member ID numbers, health insurer information, dates of service, amounts charged by providers, and the payment amounts received for the services. In limited cases, Social Security numbers, clinical coding information, and medical records were potentially compromised.
The affected healthcare providers were notified about the data breach on May 14, 2025, and Zumpano Patricios started issuing individual notifications on their behalf in early July. Zumpano Patricios has not identified any misuse of the compromised data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance reimbursement policy. The law firm said it has and will continue to take steps to enhance security to prevent similar cyberattacks in the future.
