Active breach tracker Richmond, Virginia Disclosed July 1, 2025

Radiology Associates of Richmond Data Breach 2025: 1,419,091 Virginia Radiology Patients Exposed in April 2024 Network Intrusion. What To Do

Radiology Associates of Richmond (RAR) disclosed a HIPAA breach affecting 1,419,091 individuals. Names, Social Security numbers, and medical records were accessed April 2–6, 2024, but patients were not notified until July 2025 — 15 months later. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 2, 2024

Unauthorized actor began accessing the RAR network environment.

Apr 6, 2024

Unauthorized access ended after a four-day intrusion window.

May 2, 2025

RAR completed its forensic review and determined that the impacted systems contained identifiable PHI and personal information.

Jul 1, 2025

RAR began mailing individual notification letters and filed with HHS OCR, reporting 1,419,091 affected individuals.

Jul 1, 2025

Disclosed publicly

Jul 3, 2025

Strauss Borrelli PLLC announced a class-action investigation into RAR's notification delay.

Jul 18, 2025

Lynch Carpenter LLP publicly announced its own class-action investigation.

Jul 25, 2025

A second unauthorized access event began on RAR's systems (separate from the April 2024 intrusion). This is a distinct incident.

Aug 18, 2025

At least 10 complaints consolidated into a single proceeding in the U.S. District Court for the Eastern District of Virginia, seeking $5 million. A minor (Jane Doe) is among the named plaintiffs.

Apr 6, 2026

RAR's forensic investigation into the second incident (July 2025) concluded, confirming 266,183 individuals were affected.

May 21, 2026

RAR began notifying 266,183 individuals about the second breach. Filed with Maine AG and Massachusetts AG (Report #2026-829). Schubert Jonckheer & Kolbe LLP announced an investigation.

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers (subset)

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Medical information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigating) Lynch Carpenter LLP (investigating) Edelson Lechtzin LLP (investigating) Arnold Law Firm (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Radiology Associates of Richmond (RAR), founded in 1905 and one of the oldest continuously operating private radiology practices in the United States, disclosed in July 2025 that an unauthorized actor accessed its network environment for four days in early April 2024. The intrusion exposed names, dates of birth, Social Security numbers, medical information, and health-insurance details belonging to 1,419,091 individuals. RAR serves central Virginia, supporting nine hospitals, several emergency centers, and multiple outpatient imaging facilities with services including MRI, CT, X-ray, mammography, neuroradiology, pediatric radiology, and nuclear medicine.

RAR did not finish its forensic review until May 2, 2025, and did not begin notifying patients until July 1, 2025, more than 15 months after the access occurred. That notification delay became the central argument in multiple class-action lawsuits. RAR reported the April 2024 breach to the attorneys general of California, Massachusetts, Washington, Montana, and Vermont concurrently with its HHS OCR filing.

What happened

An unauthorized actor gained access to RAR’s network environment beginning April 2, 2024. The intrusion ended April 6, 2024, a four-day window. RAR engaged external cybersecurity professionals to investigate, and those professionals completed the forensic and manual document review on May 2, 2025, when it became clear that the accessed files contained identifiable protected health information and personal data.

RAR posted a substitute notice, began mailing individual letters, and filed with HHS OCR on July 1, 2025. The federal portal records 1,419,091 affected individuals, classifying the event as a Hacking/IT Incident at a Network Server. No ransomware group has publicly claimed responsibility, and no leak-site posting has been observed.

A second, separate unauthorized access event occurred on or around July 25, 2025, after notification for this breach was already underway. That subsequent incident affected 266,183 individuals and was disclosed separately in May 2026. See the note at the bottom of this page for more detail.

What was stolen

RAR’s substitute notice describes the impacted files as containing “identifiable protected health and personal information.” State AG filings and the entity’s own notice letter identify the following categories:

  • Patient names
  • Dates of birth
  • Social Security numbers (a subset of affected individuals)
  • Medical information
  • Health-insurance information

The Arnold Law Firm’s investigation page and state AG sample letters list additional possible elements: email addresses, addresses, driver’s license or government ID numbers, financial account and routing numbers. RAR’s own notice does not confirm all of those categories. Per the sourcing rule, the above list reflects what the entity’s notice and state AG filings confirm. Affected individuals should read their specific notification letter for the elements confirmed for their record.

RAR states it has “no evidence that any personal information has been or will be misused as a direct result of this incident.”

What Radiology Associates of Richmond is offering

RAR is providing complimentary credit-monitoring services through Cyberscout to individuals whose Social Security numbers were contained in the impacted files. The activation code and enrollment instructions appear in each notification letter. Individuals whose Social Security numbers were not in the accessed files received the notification but were not offered monitoring.

The entity set up a dedicated response line at 1-866-629-5541 (Monday through Friday, 8 a.m. to 8 p.m. Eastern). No identity-theft insurance amount, fraud-resolution services, or remediation steps for non-SSN data elements were publicly disclosed.

Class actions

At least 10 complaints were filed against RAR in the weeks following the July 2025 notification. Those cases were consolidated into a single proceeding in the U.S. District Court for the Eastern District of Virginia. A complaint filed August 18, 2025, names a minor (identified as “Jane Doe”) as plaintiff, with legal representatives arguing RAR failed to monitor its network adequately and allowed “almost a month of unimpeded access” before the intrusion ended. Plaintiffs are seeking at least $5 million.

Firms that have publicly announced investigations or filings for the April 2024 breach:

  • Strauss Borrelli PLLC
  • Lynch Carpenter LLP
  • Edelson Lechtzin LLP
  • Arnold Law Firm

The common theory across all filings is the 15-month gap between the April 2024 intrusion and the July 2025 notification, which plaintiffs argue violates HIPAA’s 60-day notification requirement and Virginia law.

Subsequent incident: July 2025 breach

RAR disclosed a second, unrelated network intrusion in May 2026. That incident, which began on or around July 25, 2025, affected 266,183 individuals. RAR’s forensic investigation concluded April 6, 2026, and notifications were mailed beginning May 21, 2026. RAR filed with the Maine AG (266,183 residents) and the Massachusetts AG (Report #2026-829). Schubert Jonckheer & Kolbe LLP announced an investigation on May 23, 2026. This is a separate HHS OCR filing from the 1.4 million-person breach documented on this page.

What to do

  1. Freeze your credit at all three bureaus: Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). Freezes are free, reversible when you need to apply for credit, and the single most effective step against new-account fraud when Social Security numbers are involved.
  2. Enroll in Cyberscout credit monitoring if your notification letter includes an activation code. Only individuals whose SSNs were in the accessed files received an offer; if you have a code, use it promptly.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you were notified that your Social Security number was exposed. This flags your tax record and reduces the risk of fraudulent return filing.
  4. Watch your Explanation of Benefits statements. RAR is a radiology provider, meaning your medical and insurance records were in scope. Scan EOBs from your health insurer for unfamiliar providers, imaging studies, or procedure dates you don’t recognize.
  5. Keep your notification letter. It is proof of your standing in any class-action recovery and specifies exactly which data elements were in your record.
  6. Guard against follow-on phishing. Breach notifications trigger secondary scams. RAR will not ask for payment, passwords, or financial account details by phone or email in connection with this incident.
  7. Stop the ongoing flow of your radiology and medical-imaging data. HealthConsent files HIPAA restriction requests so the diagnostic records, insurance details, and identifying information exposed in this breach are not continuously re-shared across health information exchanges and downstream business associates.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.