Overview
Radiology Associates of Richmond (RAR), a Virginia-based radiology practice, has disclosed a second significant data breach within a span of roughly 14 months. The first breach, which occurred in April 2024, was reported to HHS on July 1, 2025, and affected more than 1.4 million patients. Before that investigation had fully resolved, a second incident took place by the end of July 2025.
The second breach was recently reported to the Maine Attorney General's Office in May 2026 and affects approximately 266,000 individuals. Details about the exact nature of the second incident — including the attack vector, the categories of protected health information exposed, and the duration of unauthorized access — have not been fully disclosed in public filings reviewed at time of publication.
The two breaches together represent one of the more notable repeat-incident patterns among radiology providers in recent years. RAR's patient population is concentrated in the Richmond, Virginia metropolitan area, though the Maine AG filing indicates affected individuals extend beyond the practice's primary service region.
Key developments
Back-to-back breaches within 15 months. The April 2024 incident affected more than 1.4 million patients, a figure large enough to place it among the most significant healthcare breaches of that year. A second, separate incident occurring by July 2025 — before notifications for the first were even complete — raises questions about whether underlying security weaknesses were identified and remediated between events.
Multi-state regulatory reporting triggered. By filing with the Maine Attorney General's Office, RAR has activated notification obligations under Maine's breach notification law, which applies whenever Maine residents are among those affected regardless of where the covered entity is headquartered. This is a common but important signal that affected individuals are geographically dispersed, often because patient records are processed or stored through third-party vendors with national footprints.
Timeline gaps draw scrutiny. The first breach occurred in April 2024 but was not reported to HHS until July 1, 2025 — a gap of roughly 14 to 15 months. HIPAA's Breach Notification Rule requires covered entities to notify HHS of breaches affecting 500 or more individuals within 60 days of discovery. A reporting delay of this length, if the breach was discovered substantially before the filing date, could itself attract OCR attention independent of the breach's underlying cause.
Radiology practices as high-value targets. Radiology groups hold densely concentrated repositories of protected health information, including diagnostic images, referral data, clinical histories, and billing records. The volume and sensitivity of that data, combined with the specialized imaging infrastructure these practices operate, can create complex environments where security gaps are harder to detect and remediate quickly.
Industry impact
Repeat breaches at a single covered entity are not unprecedented, but they are a recognized indicator of systemic rather than isolated security failures. OCR has pursued corrective action plans and civil monetary penalties in cases where investigations revealed that a covered entity failed to conduct an accurate and thorough risk analysis or failed to implement the findings of a prior risk analysis — obligations codified in 45 C.F.R. § 164.308(a)(1).
According to HHS's breach portal, healthcare data breaches affecting 500 or more individuals have been reported at a pace of several hundred per year for the past several years, with network server incidents consistently representing the largest share of affected individuals. IBM's Cost of a Data Breach report has consistently ranked healthcare as the sector with the highest average breach cost of any industry for more than a decade.
When a covered entity experiences sequential breaches, regulators typically examine whether the post-incident remediation after the first event was adequate and whether the organization's ongoing risk management program — including periodic risk assessments — was functioning as required. The combination of a large first breach, a compressed timeline to a second breach, and a lengthy reporting delay creates a fact pattern that OCR is likely to examine closely.
## What this means for independent practices
- Audit notification timelines now. HIPAA requires HHS notification within 60 days of breach discovery, not 60 days after an investigation concludes. Independent practices should document precisely when a potential breach is discovered and build internal escalation procedures that make the 60-day clock explicit.
- Treat a completed breach investigation as a trigger for re-assessment. After any security incident — even one that is resolved — conduct or update a formal risk analysis before declaring remediation complete. Regulators look for evidence that corrective actions were actually implemented and tested.
- Verify third-party vendor exposure. If a breach affects individuals spread across multiple states, it often signals that data passed through a business associate's systems. Review all business associate agreements to confirm security obligations are current and that vendors are contractually required to notify the covered entity promptly upon discovery.
- Map where imaging and clinical data reside. Radiology and other imaging-intensive practices should maintain an explicit inventory of where DICOM files, radiology information system data, and associated patient records are stored, transmitted, and backed up — including any cloud or co-located storage arrangements.
- Test incident response before it is needed. A written incident response plan that has never been exercised is unlikely to perform well under real conditions. Tabletop exercises that walk through breach discovery, internal escalation, forensic preservation, and notification timelines help identify gaps before regulators do.
Independent practices that have experienced any security incident in the past 24 months should treat this disclosure as a prompt to confirm that remediation was documented, that a current risk analysis is on file, and that business associate agreements reflect updated security expectations. OCR's investigation record shows that the quality of a covered entity's documentation — not merely the controls it claims to have — shapes enforcement outcomes.
What would have prevented this
Periodic, documented risk analysis: HIPAA's Security Rule requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic PHI they hold. A risk analysis performed after the first breach — and formally updated to reflect any new infrastructure or vendor relationships — would have provided a documented basis for targeted remediation before the second incident occurred.
Network segmentation and lateral movement controls: Radiology environments typically operate imaging systems, clinical workstations, and administrative networks in close proximity. Segmenting these environments so that a compromise in one segment cannot propagate freely into others limits the volume of records an attacker can reach during a single intrusion.
Continuous monitoring and anomaly detection: Logging access to patient records and imaging systems, then applying threshold-based alerting for unusual data volumes or access patterns, enables earlier detection of intrusions. Many breaches that span months do so because no monitoring capability was in place to surface anomalous activity.
Privileged access management: Administrative and system-level accounts in radiology information systems and imaging archives represent the highest-value targets for attackers seeking bulk data. Restricting privileged credentials, requiring re-authentication for sensitive operations, and auditing privileged account activity reduces the likelihood that a single compromised credential enables a large-scale extraction.
Formal post-incident remediation verification: Following any breach, covered entities should require documented evidence — not just a vendor attestation — that each identified vulnerability has been closed and tested. An independent verification step, whether conducted by internal staff or an outside assessor, reduces the risk that the same weakness enables a subsequent incident.