Active breach tracker New York Disclosed January 21, 2025

University Diagnostic Medical Imaging (UDMI) Data Breach 2025: 138,080 Affected After Fog Ransomware Attack on Bronx Radiology Practice

University Diagnostic Medical Imaging, PC (UDMI), a Bronx-based radiology practice, disclosed a Fog ransomware attack affecting 138,080 patients. Filed with HHS OCR on January 21, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 26, 2024

UDMI detects unusual activity on its network and blocks the unauthorized access the same day

Nov 26, 2024

Unauthorized access identified and contained; forensic review begins

Jan 21, 2025

UDMI files HHS OCR breach report (138,080 affected, Hacking/IT Incident, Network Server) and begins mailing notification letters

Mar 13, 2025

Fog ransomware group publicly claims the attack on its dark-web leak site, alleging 28.1 GB stolen

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Referring physician name
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

University Diagnostic Medical Imaging, PC (UDMI) is a full-service diagnostic radiology practice headquartered in the Bronx, New York, founded in 1986. The practice offers a comprehensive range of imaging services — MRI, CT, PET/CT, ultrasound, mammography supported by AI, bone densitometry, nuclear medicine, and interventional radiology — and employs more than 50 people. It serves patients across oncologic, women’s, musculoskeletal, neuroradiology, and pain-management imaging subspecialties.

On November 26, 2024, UDMI detected unusual activity on its network and blocked the unauthorized access the same day. The window of attacker exposure is described by UDMI in its public notice as “a limited amount of time.” UDMI launched an investigation with third-party cybersecurity specialists, notified law enforcement, and began a comprehensive review of affected files to identify impacted individuals.

UDMI filed its HIPAA breach report with the HHS Office for Civil Rights on January 21, 2025, confirming 138,080 affected individuals in a Hacking/IT Incident at a Network Server. Individual notification letters were mailed to affected patients on or around the same date. On March 13, 2025, the Fog ransomware group publicly claimed responsibility on its dark-web leak site, alleging exfiltration of 28.1 GB of UDMI patient data. Fog described the UDMI compromise as its largest confirmed breach to date by record count. UDMI has not publicly confirmed or refuted Fog’s claim, and no details have been disclosed on whether a ransom was demanded or paid.

UDMI filed breach notifications with at least 13 state attorneys general, including Maine, Massachusetts, California, Iowa, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, reflecting the broad geographic distribution of patients affected.

What was stolen

Per UDMI’s own notification letter and the HHS OCR portal entry, the affected files contained:

  • Identity data: full name, address, date of birth.
  • Clinical and provider data: referring physician name, medical diagnosis information, and medical treatment information.

Fog’s leak-site claim and independent trade-press coverage (Comparitech, Enterprise Security Tech, Daily Security Review) corroborate the same five data categories as what Fog asserts was exfiltrated. No published source with direct access to UDMI’s notification text confirms that Social Security numbers, driver’s license numbers, financial-account information, insurance ID numbers, or government-issued ID numbers were included in the exposed files. UDMI’s own notice does not list those categories. Consumers who received a letter should read it carefully, as the confirmed data elements may vary by individual.

What UDMI is offering

UDMI’s published notice states the practice has “no reason to believe any information has been or will be misused” and that it has implemented additional security measures with outside specialists.

The credit-monitoring question has conflicting coverage. Comparitech and Enterprise Security Tech both report that UDMI’s notification letter did not include an offer of credit monitoring or identity-theft protection, consistent with the text visible on UDMI’s published online notice. HIPAA Times reported that UDMI is offering identity protection and credit monitoring services; however, this claim is not corroborated by UDMI’s own notice text or by HIPAA Journal or Comparitech coverage. If your notification letter included an activation code for monitoring services, use it. If it did not, no funded offer was made to you specifically.

UDMI’s notice directs patients to standard self-help steps: review your credit reports (free annually at annualcreditreport.com), review account statements and explanation-of-benefits forms, and contact the three credit bureaus to place fraud alerts or credit freezes. The practice’s dedicated inquiry line is (718) 931-5620, and written inquiries may be directed to 1200 Waters Place, Suite M108, Bronx, NY 10461.

Class actions

Multiple plaintiff law firms have announced investigations and are soliciting affected patients: Strauss Borrelli PLLC (announced February 10, 2025), Chimicles Schwartz Kriner & Donaldson-Smith LLP, and Levi & Korsinsky, LLP. As of June 2026, no filed class-action complaint against UDMI has been publicly identified in E.D.N.Y., S.D.N.Y., or New York state court in published trade press or court records. The HHS OCR breach investigation remains open.

What to do

  1. Freeze your credit at Equifax, Experian, and TransUnion. The disclosed data set does not include SSNs, but Fog’s 28.1 GB exfiltration claim creates real uncertainty about the full scope. A freeze is free, requires no subscription, and is the highest-leverage protection available.
  2. Check your notification letter dated on or after January 21, 2025. The letter specifies which of the five categories applied to you. If it includes a monitoring activation code, enroll immediately.
  3. Watch your insurance explanation-of-benefits statements for services you did not receive. Medical-identity theft from clinical-record leaks typically surfaces 12 to 24 months after the incident.
  4. File a fraud alert with any one bureau (it notifies the other two automatically) if you are not ready to commit to a full freeze.
  5. Report suspected misuse to the FTC at identitytheft.gov, to your state attorney general, and to law enforcement. New York patients can also contact the New York AG’s consumer helpline.
  6. Bookmark this page. If a class action is filed, if the OCR investigation closes with findings, or if settlement terms are announced, we update here.
  7. Stop the ongoing flow of your radiology and diagnostic imaging data. HealthConsent files HIPAA restriction requests so the clinical diagnosis and treatment details exposed in this breach are not continuously re-shared across referral networks, insurance clearinghouses, and health information exchanges.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.