Central Kentucky Radiology Data Breach 2025: 166,953 Kentucky Radiology Patients Exposed After October 2024 Network Intrusion. What To Do
Central Kentucky Radiology (CKR) filed an HHS OCR breach report on June 13, 2025 reporting 166,953 affected individuals after an unauthorized actor accessed and copied files from its network between October 16 and October 18, 2024. Exposed data includes names, addresses, dates of birth, Social Security numbers, dates of service, service charges, and in some cases payment card information. CKR is offering 12 months of complimentary credit monitoring; multiple plaintiff firms are investigating a potential class action.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 16, 2024
Unauthorized actor begins accessing CKR network and copying files
Oct 18, 2024
CKR identifies a network disruption; attacker access window closes
May 7, 2025
CKR completes review of affected files and identifies impacted individuals
Jun 11, 2025
Vermont Attorney General receives consumer breach notice
Jun 12, 2025
Individual notification letters mailed to affected patients (~8 months post-incident)
Jun 13, 2025
HHS OCR breach report submitted: 166,953 individuals, Hacking/IT Incident at Network Server; Maine and New Hampshire AGs also notified
Jun 17, 2025
Massachusetts Attorney General office notified; multiple plaintiff firms open investigations
Oct 16, 2024
Unauthorized actor begins accessing CKR network and copying files
Oct 18, 2024
CKR identifies a network disruption; attacker access window closes
May 7, 2025
CKR completes review of affected files and identifies impacted individuals
Jun 11, 2025
Vermont Attorney General receives consumer breach notice
Jun 12, 2025
Individual notification letters mailed to affected patients (~8 months post-incident)
Jun 13, 2025
HHS OCR breach report submitted: 166,953 individuals, Hacking/IT Incident at Network Server; Maine and New Hampshire AGs also notified
Jun 17, 2025
Massachusetts Attorney General office notified; multiple plaintiff firms open investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Central Kentucky Radiology (CKR), a physician-owned radiology group located at 1218 South Broadway, Suite 310, Lexington, KY 40504, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 13, 2025, reporting 166,953 affected individuals in a Hacking/IT Incident at a Network Server. CKR is a group of approximately 20 board-certified radiologists providing hospital staffing services and image interpretation for medical centers and physicians’ offices across Kentucky, with specialties including vascular and interventional radiology, neuroradiology, nuclear radiology, musculoskeletal radiology, and breast imaging.
Forensic investigators determined that an unauthorized actor was inside the CKR network between October 16 and October 18, 2024, accessing and copying files containing patient billing records. CKR completed its review of the affected files on May 7, 2025 and began mailing individual notification letters on or around June 12, 2025, roughly eight months after the intrusion was detected. No ransomware group has publicly claimed the attack, and CKR has not named a threat actor. CKR is offering 12 months of complimentary credit monitoring through TransUnion to affected individuals whose Social Security number or payment card information was involved. Multiple plaintiff-side firms have publicly opened investigations, though no consolidated federal class action has been confirmed in the Eastern District of Kentucky as of this writing.
What happened
CKR detected a network disruption on October 18, 2024, immediately secured its systems, and launched a forensic investigation. Investigators confirmed the unauthorized actor had accessed and copied files from certain systems between October 16 and October 18, 2024. The compromised files contained patient billing records — not clinical imaging studies or diagnostic reports.
CKR completed its file review on May 7, 2025 and notified regulators across multiple states. State attorney general filings were submitted to Vermont and the Maine and New Hampshire AGs on June 11-13, 2025; the Massachusetts AG was notified on June 17, 2025. CKR also made filings with the California, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, and Washington AGs. The approximate scope of state-level impact: 3 Maine residents, 8 New Hampshire residents, and 20 Massachusetts residents — the Kentucky-resident count is the bulk of the 166,953 total. CKR notified federal law enforcement and reported the incident to the HHS OCR on June 13, 2025.
Timeline
- October 16-18, 2024 — Unauthorized actor accesses CKR’s network and copies files from certain systems.
- October 18, 2024 — CKR identifies a network disruption, begins securing systems, and initiates a forensic investigation.
- May 7, 2025 — CKR completes the review of affected files and identifies the categories of personal information involved.
- June 11, 2025 — CKR files a consumer breach notice with the Vermont Attorney General.
- June 12, 2025 — Individual notification letters begin being mailed to affected patients.
- June 13, 2025 — HHS OCR breach report submitted: 166,953 individuals affected, Hacking/IT Incident at Network Server; Maine and New Hampshire AGs also notified.
- June 17, 2025 — Massachusetts AG notified; multiple plaintiff firms open public investigations.
What was exposed
Per CKR’s substitute notice and state AG filings, the compromised file set included:
- Identity data: full name, address, date of birth.
- Government identifiers: Social Security number.
- Clinical/financial data: date(s) of medical service and service charges.
- Payment data (subset of patients): payment card information, per CKR’s own notice and multiple confirmed sources.
The files specifically contained patient billing records. No clinical imaging studies, diagnostic reports, or physician notes have been identified in the exposed file set. The combination of name, date of birth, and Social Security number puts affected patients in the high-risk tier for synthetic identity fraud and new-account fraud, not just medical-identity misuse. CKR noted it is not aware of any actual or attempted misuse of the information as of the June 2025 notification date.
What the entity is offering
CKR is providing 12 months of complimentary credit monitoring through TransUnion to individuals whose Social Security number or payment card information was potentially affected. Individuals whose billing records were exposed but whose SSN or payment card was not involved may not receive the monitoring offer. Along with the monitoring offer, CKR provided guidance on fraud alerts, security freezes, free annual credit reports, and tax-identity protection.
CKR established a dedicated assistance line at 1-833-566-6360, available Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern time, excluding U.S. holidays. Activation instructions for the TransUnion monitoring are included in the individual notification letters mailed beginning June 12, 2025.
Class-action posture
No filed class action against Central Kentucky Radiology has been confirmed in federal court (E.D. Ky.) or in Fayette Circuit Court as of this writing. Multiple plaintiff-side firms have publicly opened investigations into the breach, citing the eight-month gap between the October 2024 intrusion and June 2025 notice as potentially actionable under state consumer-protection statutes. Firms publicly investigating include Strauss Borrelli PLLC, Mason LLP, Markovits, Stock & DeMarco, LLC, Federman & Sherwood, The Lyon Firm, Pittman, Dutton, Hellums, Bradley & Mann, Migliaccio & Rathod LLP, and Schubert Jonckheer & Kolbe LLP. ClassAction.org states its own attorney network has completed its investigation without filing a case.
What to do
- Freeze your credit at Equifax, Experian, and TransUnion. With SSNs and dates of birth in the exposed set, a credit freeze is the highest-leverage protection against new-account fraud. It is free and reversible.
- Enroll in the 12-month TransUnion credit monitoring CKR is offering if you received a notification letter dated on or after June 12, 2025. Call the dedicated line at 1-833-566-6360 (Monday through Friday, 8 a.m. to 8 p.m. ET) if you have questions. The activation code is single-use; activate promptly.
- Watch for payment-card fraud if your CKR account included a card on file. Request a card reissue from your issuer.
- Review insurance EOBs for services you did not receive. Medical-identity misuse can take 12-24 months to surface.
- File an IRS Identity Protection PIN request if your SSN was in the exposed set. It is free at irs.gov/identity-theft-central and stops fraudulent tax-refund filings against your SSN.
- Stop the ongoing flow of your radiology and billing data. HealthConsent files HIPAA restriction requests so the imaging and financial records exposed in this breach are not continuously re-shared across hospital networks, billing clearinghouses, and downstream providers.
Continue reading
- Your HIPAA Rights — how to request restrictions on how your health data is shared
- All tracked breaches
Sources
- SecurityWeek — Central Kentucky Radiology Data Breach Impacts 167,000 — confirms 166,953 figure, October 16-18, 2024 access window, May 7, 2025 review completion, June 13, 2025 notification, and the credit-monitoring offer.
- SC Media — About 167K compromised by Central Kentucky Radiology breach — independent trade-press synthesis of the breach scope and data categories.
- Vermont Attorney General — Central Kentucky Radiology Data Breach Notice to Consumers (June 11, 2025) — state regulatory filing of record for Vermont residents.
- Central Kentucky Radiology — Website Notice (substitute notice PDF) — the entity’s own substitute notice posted at ckr.net; confirms call center number, TransUnion monitoring for SSN/card-affected individuals.
- ClassAction.org — Central Kentucky Radiology Data Breach Lawsuit Investigation — plaintiff-side investigation status and timeline.
- Strauss Borrelli PLLC — Central Kentucky Radiology Data Breach Investigation — plaintiff-firm investigation notice with breach scope confirmation.
- PRNewswire / Schubert Jonckheer & Kolbe — Privacy Alert: CKR Under Investigation — additional plaintiff-firm investigation notice.
- ClaimDepot — Central Kentucky Radiology Breach Summary — aggregates multi-state AG filings; confirms Maine (3 residents), NH (8 residents), MA (20 residents) counts.
- ClassAction.org / Maine AG Notice Letter (Exhibit) — CKR’s formal Maine AG notice confirming address, timeline, and TransUnion monitoring offer.
- Federman & Sherwood — CKR Data Breach Investigation — confirms TransUnion as credit-monitoring vendor.
- HIPAA Times — Central Kentucky Radiology Notifies 166K Patients of 2024 Breach — trade-press coverage confirming monitoring limited to SSN/card-affected individuals.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- SecurityWeek — Central Kentucky Radiology Data Breach Impacts 167,000
- SC Media — About 167K compromised by Central Kentucky Radiology breach
- Vermont Attorney General — Central Kentucky Radiology Data Breach Notice to Consumers (June 11, 2025)
- Central Kentucky Radiology — Website Notice (CKR substitute notice PDF)
- ClassAction.org — Central Kentucky Radiology Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC — Central Kentucky Radiology Data Breach Investigation
- PRNewswire / Schubert Jonckheer & Kolbe — Privacy Alert: CKR Under Investigation for Breach of Nearly 167,000 Records
- ClaimDepot — Central Kentucky Radiology Breach Summary (multi-state AG filing details)
- ClassAction.org — CKR Maine AG Notice Letter (Exhibit, June 2025)
- Federman & Sherwood — CKR Data Breach Investigation (TransUnion monitoring confirmed)
- HIPAA Times — Central Kentucky Radiology Notifies 166K Patients of 2024 Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.