Network and website security should be a top priority for every business, and especially healthcare businesses. Unfortunately, too many organizations learn this lesson the hard way.
This past summer, Radiology Associates of Richmond (RAR) confirmed that attackers had gained access to its network approximately 15 months prior. Patient names, dates of birth, Social Security numbers, insurance information, and medical records may have been exposed, although RAR has maintained that there is no proof that any compromised data have been misused. Still, the healthcare data breach tracker of the Department of Health and Human Services shows that the incident impacted 1,419,091 people.
I can speak about this from firsthand experience, because I was among those patients who received a notification letter. I immediately wanted to know how much information did the cyberattackers have, what security policies and protocols were in place before the breach, and what steps is RAR taking now. Did the attackers have a picture of the titanium screw in my foot? When I called the hotline number provided for patient assistance, I found the experience frustrating. The “toll-free response line” associates seemed vaguely familiar with the breach and were just plain unhelpful. They took my name and number. A promised call back from RAR never came. As their customer, I was left with the feeling that they just did not care about me or my data. The experience underscored for me that the impact of a breach doesn’t end with IT systems. How you communicate and support people afterward is just as critical to maintaining trust.
Radiology Breaches Are on the Rise
RAR is not alone. Numerous other radiology practices across the country have recently reported breaches:
- Vital Imaging Diagnostic Centers (Florida): More than 260,000 patients potentially affected. Attorneys are already exploring class-action lawsuits.
- Central Kentucky Radiology: Breach exposed personal and medical details of roughly 167,000 people; multiple law firms are investigating litigation.
- Pinehurst Radiology Associates (North Carolina): The practice shuttered in June, only months after a cyberattack, and its property was sold to a local hospital system.
RAR itself now faces substantial legal action. At least 10 lawsuits were filed in federal court within weeks of the breach becoming public, although those cases were later consolidated into one lawsuit. The plaintiffs maintain that they now face a lifetime risk of identity theft due to the nature of the information lost, which they cannot change and which cannot be made private again.
Why a Breach Can Sink a Business
A cyberattack isn’t just an IT incident — it’s a business survival issue.
- Class-Action Lawsuits: When health data is exposed, lawsuits often follow. Even if a business ultimately prevails, the cost of defense can run into the hundreds of thousands of dollars. For many SMBs, that alone can be devastating.
- HIPAA Penalties: The federal Office for Civil Rights can levy fines of up to $50,000 per violation, capped at $1.5 million per year for identical provisions. For practices that failed to conduct proper risk assessments, fines and corrective action plans are common.
- Average Cost of a Breach: According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a data breach in the U.S. is $10.22 million, and the healthcare sector has the highest average breach cost at $7.42 million per incident. For SMBs, industry analysts estimate breach costs between $120,000 and $1.24 million, depending on severity. Few small businesses can absorb that.
- Reputation & Trust: Perhaps most damaging is the loss of trust. Patients and clients may never return once they believe their information is unsafe, especially when poor communication compounds the problem.
Best Practices for Healthcare Provider Security
As a website developer and managed security services provider, we’ve seen how SMBs, not just healthcare providers, can protect themselves by adopting a handful of core practices:
- Keep software updated
Patch content management systems, plug-ins, and server software regularly. - Use HTTPS everywhere
SSL/TLS encryption protects data in transit and builds visitor confidence. - Harden access controls
Require strong passwords, enable multi-factor authentication (MFA), and limit user privileges. - Back up your website and data regularly
Automated backups ensure recovery in case of ransomware or a hack. - Monitor and test continuously
Intrusion detection, log monitoring, and penetration testing reveal vulnerabilities before criminals do.
Turning Breaches Into Lessons
The spate of radiology breaches shows two things clearly:
- Hackers don’t discriminate. They go where defenses are weakest, and SMBs are often the easiest targets, especially healthcare businesses.
- How you respond matters. Transparent, respectful communication with patients or customers can reduce the chance of lawsuits and help preserve trust.
The Bottom Line
Whether you’re a healthcare provider, law firm, retailer, or nonprofit, your website, your network, and all the data they touch are among your most valuable business assets. Protecting them isn’t optional — it’s essential.
At AISN, we’ve spent more than 30 years helping organizations secure their infrastructure and data. From website design to multicloud architecture to cybersecurity, we are a one-stop shop for designing solutions that keep your business online and secure.
Don’t wait for a breach to take action. Contact AISN today to discuss how we can protect you and your customers.