Radiology Associates of Richmond (RAR) has disclosed a data breach that affected the protected health information of 266,000 people, according to its incident notice and filings with state authorities. The healthcare organization says the intrusion took place on or about July 25, 2025, when hackers accessed internal systems.
The company has not said exactly when it first detected the attack. What it did say is that it brought in outside cybersecurity experts to help contain the incident and determine how far it reached. After that review, RAR said it concluded on or about April 6, 2026, that files containing protected health information had been taken without authorization.
What patient data may have been exposed
RAR’s notices do not spell out every affected record, but the information submitted to state authorities points to a broad mix of sensitive details. Based on the filings and redacted letter samples, the compromised files may have included:
- Names
- Social Security numbers
- Government-issued ID numbers
- Financial information, including credit or debit card numbers
- Medical and health insurance information
That mix matters because it goes beyond basic contact data. Health records tied to identity and payment information can be used for fraud, identity theft, and other follow-on attacks long after the original breach.
Notifications are going out now
On May 21, RAR began mailing notification letters to potentially affected individuals. In its filing with the Maine Attorney General’s Office, the organization said 266,183 people are receiving those notices.
RAR also said that people whose Social Security numbers were included in the impacted files are being offered complimentary credit monitoring. The incident notice adds that affected individuals were given guidance on how to protect their information.
A reminder of how messy healthcare breaches can be
Healthcare providers remain attractive targets because they store a combination of personal, financial, and medical data in one place. That makes a single intrusion potentially far more damaging than a typical account compromise. In cases like this, the long gap between the July 2025 intrusion and the April 2026 conclusion of the investigation also shows how long forensic reviews can take when large volumes of records are involved.
RAR is based in Richmond, Virginia, and provides medical imaging services. The organization’s notice does not fully describe every type of data impacted, but the filings suggest the breach could have reached well beyond a narrow set of records.
Related context
In July 2025, RAR also notified the U.S. Department of Health and Human Services that the personal information of 1.4 million people had been stolen in an April 2024 data breach. The new disclosure adds another large healthcare incident to a year already marked by repeated attacks on organizations handling sensitive patient data.