Active breach tracker Lexington-area, Kentucky Disclosed June 13, 2025

Central Kentucky Radiology Data Breach 2025: 166,953 Kentucky Radiology Patients Exposed After October 2024 Network Intrusion. What To Do

Central Kentucky Radiology (CKR) filed an HHS OCR breach report on June 13, 2025 reporting 166,953 affected individuals after an unauthorized actor accessed and copied files from its network between October 16 and October 18, 2024. Exposed data includes names, addresses, dates of birth, Social Security numbers, dates of service, service charges, and in some cases payment card information. CKR is offering 12 months of complimentary credit monitoring; multiple plaintiff firms are investigating a potential class action.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 16, 2024

Unauthorized actor begins accessing CKR network and copying files

Oct 18, 2024

CKR identifies a network disruption; attacker access window closes

May 7, 2025

CKR completes review of affected files and identifies impacted individuals

Jun 11, 2025

Vermont Attorney General receives consumer breach notice

Jun 12, 2025

Individual notification letters mailed to affected patients (~8 months post-incident)

Jun 13, 2025

HHS OCR breach report submitted: 166,953 individuals, Hacking/IT Incident at Network Server; Maine and New Hampshire AGs also notified

Jun 17, 2025

Massachusetts Attorney General office notified; multiple plaintiff firms open investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Address Date(s) of medical service Service charges Payment card information (in some cases, per HIPAA Journal reporting)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigating) Mason LLP (investigating) Markovits, Stock & DeMarco, LLC (investigating) Federman & Sherwood (investigating) The Lyon Firm (investigating) Pittman, Dutton, Hellums, Bradley & Mann (investigating) Migliaccio & Rathod LLP (investigating) Schubert Jonckheer & Kolbe LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Central Kentucky Radiology (CKR), a physician-owned radiology group located at 1218 South Broadway, Suite 310, Lexington, KY 40504, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 13, 2025, reporting 166,953 affected individuals in a Hacking/IT Incident at a Network Server. CKR is a group of approximately 20 board-certified radiologists providing hospital staffing services and image interpretation for medical centers and physicians’ offices across Kentucky, with specialties including vascular and interventional radiology, neuroradiology, nuclear radiology, musculoskeletal radiology, and breast imaging.

Forensic investigators determined that an unauthorized actor was inside the CKR network between October 16 and October 18, 2024, accessing and copying files containing patient billing records. CKR completed its review of the affected files on May 7, 2025 and began mailing individual notification letters on or around June 12, 2025, roughly eight months after the intrusion was detected. No ransomware group has publicly claimed the attack, and CKR has not named a threat actor. CKR is offering 12 months of complimentary credit monitoring through TransUnion to affected individuals whose Social Security number or payment card information was involved. Multiple plaintiff-side firms have publicly opened investigations, though no consolidated federal class action has been confirmed in the Eastern District of Kentucky as of this writing.

What happened

CKR detected a network disruption on October 18, 2024, immediately secured its systems, and launched a forensic investigation. Investigators confirmed the unauthorized actor had accessed and copied files from certain systems between October 16 and October 18, 2024. The compromised files contained patient billing records — not clinical imaging studies or diagnostic reports.

CKR completed its file review on May 7, 2025 and notified regulators across multiple states. State attorney general filings were submitted to Vermont and the Maine and New Hampshire AGs on June 11-13, 2025; the Massachusetts AG was notified on June 17, 2025. CKR also made filings with the California, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, and Washington AGs. The approximate scope of state-level impact: 3 Maine residents, 8 New Hampshire residents, and 20 Massachusetts residents — the Kentucky-resident count is the bulk of the 166,953 total. CKR notified federal law enforcement and reported the incident to the HHS OCR on June 13, 2025.

Timeline

  • October 16-18, 2024 — Unauthorized actor accesses CKR’s network and copies files from certain systems.
  • October 18, 2024 — CKR identifies a network disruption, begins securing systems, and initiates a forensic investigation.
  • May 7, 2025 — CKR completes the review of affected files and identifies the categories of personal information involved.
  • June 11, 2025 — CKR files a consumer breach notice with the Vermont Attorney General.
  • June 12, 2025 — Individual notification letters begin being mailed to affected patients.
  • June 13, 2025 — HHS OCR breach report submitted: 166,953 individuals affected, Hacking/IT Incident at Network Server; Maine and New Hampshire AGs also notified.
  • June 17, 2025 — Massachusetts AG notified; multiple plaintiff firms open public investigations.

What was exposed

Per CKR’s substitute notice and state AG filings, the compromised file set included:

  • Identity data: full name, address, date of birth.
  • Government identifiers: Social Security number.
  • Clinical/financial data: date(s) of medical service and service charges.
  • Payment data (subset of patients): payment card information, per CKR’s own notice and multiple confirmed sources.

The files specifically contained patient billing records. No clinical imaging studies, diagnostic reports, or physician notes have been identified in the exposed file set. The combination of name, date of birth, and Social Security number puts affected patients in the high-risk tier for synthetic identity fraud and new-account fraud, not just medical-identity misuse. CKR noted it is not aware of any actual or attempted misuse of the information as of the June 2025 notification date.

What the entity is offering

CKR is providing 12 months of complimentary credit monitoring through TransUnion to individuals whose Social Security number or payment card information was potentially affected. Individuals whose billing records were exposed but whose SSN or payment card was not involved may not receive the monitoring offer. Along with the monitoring offer, CKR provided guidance on fraud alerts, security freezes, free annual credit reports, and tax-identity protection.

CKR established a dedicated assistance line at 1-833-566-6360, available Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern time, excluding U.S. holidays. Activation instructions for the TransUnion monitoring are included in the individual notification letters mailed beginning June 12, 2025.

Class-action posture

No filed class action against Central Kentucky Radiology has been confirmed in federal court (E.D. Ky.) or in Fayette Circuit Court as of this writing. Multiple plaintiff-side firms have publicly opened investigations into the breach, citing the eight-month gap between the October 2024 intrusion and June 2025 notice as potentially actionable under state consumer-protection statutes. Firms publicly investigating include Strauss Borrelli PLLC, Mason LLP, Markovits, Stock & DeMarco, LLC, Federman & Sherwood, The Lyon Firm, Pittman, Dutton, Hellums, Bradley & Mann, Migliaccio & Rathod LLP, and Schubert Jonckheer & Kolbe LLP. ClassAction.org states its own attorney network has completed its investigation without filing a case.

What to do

  1. Freeze your credit at Equifax, Experian, and TransUnion. With SSNs and dates of birth in the exposed set, a credit freeze is the highest-leverage protection against new-account fraud. It is free and reversible.
  2. Enroll in the 12-month TransUnion credit monitoring CKR is offering if you received a notification letter dated on or after June 12, 2025. Call the dedicated line at 1-833-566-6360 (Monday through Friday, 8 a.m. to 8 p.m. ET) if you have questions. The activation code is single-use; activate promptly.
  3. Watch for payment-card fraud if your CKR account included a card on file. Request a card reissue from your issuer.
  4. Review insurance EOBs for services you did not receive. Medical-identity misuse can take 12-24 months to surface.
  5. File an IRS Identity Protection PIN request if your SSN was in the exposed set. It is free at irs.gov/identity-theft-central and stops fraudulent tax-refund filings against your SSN.
  6. Stop the ongoing flow of your radiology and billing data. HealthConsent files HIPAA restriction requests so the imaging and financial records exposed in this breach are not continuously re-shared across hospital networks, billing clearinghouses, and downstream providers.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.