Data Breaches Announced by Expert MRI; McElroy & Associates
Data breaches have recently been announced by the California radiology specialists, Expert MRI, and the small business technology consultancy firm, McElroy & Associates.
Expert MRI
Expert MRI, a leading radiology provider with 15 locations in California, has recently disclosed a cybersecurity incident that was first identified in August 2025. According to its substitute data breach notice, an unauthorized third party gained access to a computer network containing “a significant portion” of its data between June 2, 2025, and August 24, 2025.
The forensic investigation confirmed that data was exfiltrated in the attack, including names, addresses, dates of birth, admission dates, diagnoses, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Expert MRI said data privacy and security are taken extremely seriously, and that “this incident is being used as an opportunity to build upon existing cybersecurity and data privacy tools, practices, and procedures for ourselves and our partners.” The data breach has been reported to regulators, but the number of affected individuals has yet to be disclosed.
The PEAR threat group has claimed responsibility for the incident and added Expert MRI to its data leak site along with samples of the stolen data. The group’s data leak site no longer lists Expert MRI, which suggests that the ransom was paid.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
McElroy & Associates
McElroy & Associates, a small business technology consultancy firm with offices in California and Michigan, has announced a data breach involving unauthorized access to an employee’s email account. The unauthorized access was identified on May 30, 2025, and the forensic investigation confirmed that the account was accessed by an unauthorized third party between May 28, 2025, and May 30, 2025.
The account was reviewed, and on September 3, 2025, McElroy & Associates confirmed that protected health information had been exposed. The compromised data varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, financial account information, medical information, health insurance information, and usernames/passwords.
The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 6,633 individuals. A substitute breach notice has been uploaded to the website of its Bartlesville, OK-based health plan client, OPEH&W Health Plan, confirming its members have been affected. McElroy & Associates has started mailing notification letters to the affected individuals and has confirmed that it has taken steps to improve the security of its email tenant.
