Data Breaches Announced by Lumexa Imaging; FMRS Health Systems
The diagnostic imaging service provider Lumexa Imaging has been affected by a security incident at one of its vendors. FMRS Health Systems, a West Virginia-based provider of mental health services, is investigating a January 2026 data breach.
Lumexa Imaging
Lumexa Imaging, a diagnostic imaging provider that, together with its affiliates, has the second-largest diagnostic imaging footprint in the United States, has notified regulators about a data security incident involving one of its vendors. The unnamed vendor provided non-clinical support services in connection with the administrative services Lumexa Imaging provided to its affiliated radiology practices. On April 9, 2026, the vendor notified Lumexa Imaging that it was investigating suspicious activity within part of its computer network. Lumexa Imaging immediately terminated the vendor’s access to its systems while the incident was investigated and remediated.
The investigation confirmed a breach of the vendor’s systems between March 31, 2026, and April 9, 2026. On April 15, 2026, Lumexa Imaging learned that an unauthorized actor may have used the connection between itself and the vendor to view or obtain documents associated with its affiliated radiology practices. The documents were reviewed and found to contain patient information such as names, birth dates, addresses, phone numbers, patient account numbers, insurance information, and clinical information such as diagnoses, visit dates, and other information related to the radiology services received. A small subset of patients had their Social Security numbers exposed.
The vendor has provided assurances that steps have been taken to secure its systems to prevent similar incidents in the future, including scrubbing and validating the affected systems and implementing additional cybersecurity monitoring and detection tools. Lumexa Imaging is unaware of any misuse of the exposed data and is offering complementary credit monitoring services to individuals whose Social Security numbers were exposed. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
FMRS Health Systems
FMRS Health Systems, Inc., a West Virginia-based nonprofit mental health center, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. That figure will likely increase, as at the time of issuing its substitute breach notice, the investigation was still ongoing. According to the substitute breach notice on the FMRS Health Systems website, suspicious activity was identified within its computer systems on February 27, 2026. Steps were immediately taken to secure its systems, and a forensic investigation was launched to determine the nature and scope of the unauthorized activity.
The investigation confirmed unauthorized access between January 20, 2026, and February 27, 2026, during which time files containing patient information were copied by the threat actor. Electronic medical records were not subject to unauthorized access. The file review confirmed that names were stolen in combination with one or more of the following: address, birth date, Social Security number, driver’s license number, financial account information, medical history information, diagnostic and treatment information, prescription information, physician’s name, medical record number, and health insurance information. FMRS Health Systems did not state whether ransomware was used; however, a ransomware group – Qilin – claimed responsibility for the attack.
