Cyber Incident Victim: Radiology Associates of Albuquerque

The cybersecurity incident impacting Radiology Associates of Albuquerque (RAA Imaging) began with unauthorized access to email accounts occurring intermittently between December 22, 2020, and July 15, 2021. RAA detected the cyberattack in August 2021 and immediately initiated an investigation. Forensic analysis determined that specific documents stored within RAA’s environment were copied from its systems on two dates: July 22, 2021, and August 3, 2021. The compromised data included protected health information (PHI) such as patient names, contact details, Social Security numbers, medical conditions, medical histories, treatment information, patient account numbers, and health insurance details. RAA secured its systems following the discovery and worked to determine the full scope of the incident. The breach investigation revealed that the unauthorized party accessed email accounts over a seven-month period prior to the data exfiltration events in July and August 2021.

RAA completed its investigation and reconciliation process by identifying affected individuals and their contact information. Notification letters were sent to an undisclosed number of patients in late 2022, over a year after the breach detection. The notifications advised patients to review account statements, explanation of benefits forms, and credit reports for suspicious activity. RAA emphasized its commitment to information confidentiality and security while acknowledging the exposure of sensitive PHI. The organization did not disclose whether ransomware or specific threat actors were involved, nor did it confirm whether data was misused following the exfiltration. The breach impacted multiple categories of personal and medical information but did not result in public disclosure of the total number of affected individuals.