One month after announcing a 2024 data breach affecting 1.4 million patients, Radiology Associates of Richmond (“RAR”)was facing at least 10 potential class-action lawsuits. Now that the Virginia medical group has reported a second data breach in 2025, they are potentially facing more litigation.
DataBreaches.net reports that RAR’s July 2025 breach affected 266,183 people, but it is unknown whether that number represents patients or patients plus non-patients at this time.
Reviewing the medical practice’s notifications in 2025 and 2026, DataBreaches.net notes that neither disclosure explained how the breaches occurred or whether there was any ransom demand. The fact that neither breach showed up on any dark web leak site may indicate that RAR paid the unnamed attackers not to leak data.
DataBreaches.net posed a number of unanswered questions:
- What types of personal and protected health information were involved in this newest attack?
- Did RAR receive any threat demands or extortion demands from any groups for either or both of the incidents?
- If RAR received any demands, did it pay to have data deleted in either or both incidents?
- Did the second attack involve the same threat actor(s) as the first attack?
- Did the second attacker(s) gain access in the same way as the first attacker(s)?
