Radiology Associates of Richmond (RAR) has disclosed a data breach affecting 266,183 individuals after attackers accessed the medical imaging provider's internal systems on or about July 25, 2025. The Virginia-based healthcare organization confirmed that protected health information, Social Security numbers, government-issued IDs, financial data, and medical records were acquired during the unauthorized access. Notification letters began going out on May 21, 2026, following a forensic investigation that concluded on or about April 6, 2026.
What Happened
According to RAR's incident notice and regulatory filings, threat actors gained unauthorized access to the organization's internal systems on or around July 25, 2025. RAR engaged external cybersecurity experts to contain the intrusion and assess its scope, though the organization has not publicly disclosed when the breach was initially detected. The investigation included an extensive forensic review and manual document analysis that stretched roughly nine months before concluding in early April 2026. RAR then took an additional six weeks to begin notifying affected individuals, with letters dispatched starting May 21, 2026. The filing with the Maine Attorney General's Office confirms 266,183 individuals are receiving breach notifications.
What Was Taken
The compromised data set is broad and sensitive. Per disclosures filed with multiple state attorneys general, including Texas, the stolen files may contain:
- Full names
- Social Security numbers
- Government-issued identification numbers
- Financial information, including credit and debit card numbers
- Medical records and clinical information
- Health insurance details
RAR has offered complimentary credit monitoring to individuals whose Social Security numbers were contained in the impacted files. The combination of medical, financial, and identity data in a single dataset makes this incident particularly high-value for downstream fraud and identity theft operations.
Why It Matters
This is RAR's second major breach disclosure in under a year. In July 2025, the same organization notified the US Department of Health and Human Services that an April 2024 incident had compromised the personal information of 1.4 million individuals. The back-to-back disclosures suggest either persistent security gaps, repeated targeting, or both, and place RAR among a growing set of mid-sized healthcare providers absorbing multi-incident exposure. For defenders, the nine-month gap between the July 2025 intrusion and the April 2026 investigation conclusion underscores how long healthcare-sector breaches can sit before downstream victims are warned, expanding the window for credential reuse, insurance fraud, and synthetic identity creation.
The Attack Technique
RAR has not publicly attributed the incident to a specific threat actor or named a ransomware group, nor has it described the initial access vector. No leak site claims have been publicly tied to this event at the time of disclosure. Based on the typology of the breach (a single-date intrusion followed by exfiltration of structured PHI and PII across roughly 266,000 records), the incident is consistent with either a ransomware affiliate exfiltrating data before encryption or a data-theft-only extortion crew targeting healthcare records for resale. The fact that manual document review formed part of the forensic process suggests unstructured data, such as scanned documents and image-related records, was within the accessed file shares.
What Organizations Should Do
Healthcare providers, particularly imaging and specialty practices, should treat this incident as a signal to harden the following areas:
- Segment imaging and PACS infrastructure from general enterprise networks so that an intrusion on the corporate side cannot pivot directly into clinical record stores.
- Audit file share exposure for unstructured PHI. The manual document review timeline at RAR suggests large volumes of loose documents were accessible. Enforce least-privilege access and DLP on shared drives.
- Deploy EDR with behavioral detection on endpoints and servers handling PHI, and ensure 24/7 monitoring or MDR coverage to shorten dwell time.
- Enforce phishing-resistant MFA on VPN, remote desktop, email, and any externally exposed administrative interfaces, which remain the most common initial access vectors in healthcare breaches.
- Test backup and incident response playbooks quarterly, with explicit tabletop scenarios for exfiltration-only extortion in addition to encryption events.
- Shorten breach notification cycles by pre-staging legal, forensic, and communications vendors so disclosure can occur faster than the nine-plus months seen in this case.
Sources: 266,000 Affected by Data Breach at Radiology Associates of Richmond - Cybernoz