Radiology Chartered Data Breach Affects 12,656 Patients Through Third-Party Vendor Incident

Radiology Chartered, a Wisconsin-based healthcare provider, recently disclosed a significant data breach that has affected 12,656 individuals. The incident, which was reported to the Department of Health and Human Services on May 16, 2025, originated from a cybersecurity incident at a former third-party vendor rather than Radiology Chartered's own systems.

What Happened

On March 24, 2025, Radiology Chartered received written notification from Nationwide Recovery Services, Inc. ("NRS") regarding a cybersecurity incident that potentially impacted individuals associated with Radiology Chartered. The breach actually occurred much earlier – NRS first became aware of the cybersecurity issue involving its network environment on July 11, 2024.

This breach represents a classic example of third-party vendor risk in healthcare. Radiology Chartered, which was previously known as Computer Scanning Services and CT Imaging LLC, had used NRS as a third-party vendor for various services, including payment processing. The incident occurred at NRS's network server, highlighting how healthcare organizations can be vulnerable to breaches even when their own systems remain secure.

The significant time gap between when NRS discovered the incident (July 11, 2024) and when they notified Radiology Chartered (March 24, 2025) – approximately 8 months – raises questions about vendor notification protocols and compliance with breach notification requirements.

Who Is Affected

The breach has impacted 12,656 individuals who were patients of Radiology Chartered or its predecessor entities. Some patients may recognize the organization by its former names:

• Computer Scanning Services
• CT Imaging LLC

Radiology Chartered issued formal breach notifications to affected patients on May 15, 2025, as required under HIPAA breach notification rules. The organization made clear in their notice that while the incident occurred at their former third-party vendor NRS, they were taking responsibility for notifying and protecting their affected patients.

Breach Details

According to the HHS Office for Civil Rights Wall of Shame, this incident has been classified as a hacking/IT incident that occurred on the network server. While the full details of NRS's investigation are not publicly available, the breach notice indicates that NRS conducted a thorough investigation into the cybersecurity issue.

Key timeline details include:

• July 11, 2024: NRS became aware of the cybersecurity issue
• March 24, 2025: NRS notified Radiology Chartered in writing about the potential patient impact
• May 15, 2025: Radiology Chartered issued breach notifications to affected patients
• May 16, 2025: Breach reported to HHS Office for Civil Rights

The breach affected Radiology Chartered's network server environment through their relationship with NRS. The specific types of personal information compromised and whether any protected health information was accessed or exfiltrated have not been detailed in the available public notices.

What This Means for Patients

For the 12,656 affected individuals, this breach represents a potential compromise of their personal information held by the third-party vendor. Patients of Radiology Chartered, Computer Scanning Services, and CT Imaging LLC should be aware that their information may have been accessed during this cybersecurity incident.

While the specific types of information accessed have not been publicly disclosed, third-party vendors like NRS that handle payment services typically process:

• Patient names and contact information
• Insurance information
• Payment and billing details
• Potentially some medical information related to services provided

The extended timeline between the initial discovery and patient notification means that if any information was compromised, it has been potentially exposed for an extended period.

How to Protect Yourself

If you are among the affected patients, consider taking these protective steps:

Immediate Actions:

• Review the official breach notification letter from Radiology Chartered carefully
• Monitor your insurance explanation of benefits (EOB) statements for any unfamiliar medical services
• Check your credit reports for any suspicious activity
• Consider placing a fraud alert on your credit files

Ongoing Monitoring:

• Regularly review bank and credit card statements
• Monitor healthcare-related communications for signs of medical identity theft
• Be cautious of phishing attempts that may reference this breach
• Keep records of any suspicious activity related to your personal information

Stay Informed:

• Contact Radiology Chartered directly if you have questions about the breach
• Watch for any updates or additional information about credit monitoring services
• Report any suspected identity theft to the Federal Trade Commission

Prevention Lessons for Healthcare Providers

This breach offers several important lessons for healthcare organizations about third-party vendor risk management:

Vendor Due Diligence: Healthcare providers must thoroughly vet third-party vendors' cybersecurity practices and ensure they have robust incident response procedures. This includes understanding how quickly vendors will notify healthcare partners of potential breaches.

Business Associate Agreements: Strong business associate agreements (BAAs) should include specific timelines for breach notification, detailed security requirements, and clear protocols for incident response. The 8-month delay in notification in this case suggests the need for more stringent notification requirements.

Ongoing Vendor Monitoring: Regular security assessments and monitoring of third-party vendors are essential. Healthcare organizations should not assume that vendors are maintaining adequate security simply because they passed an initial assessment.

Incident Response Planning: Organizations need comprehensive incident response plans that account for third-party breaches. This includes having communication templates ready and understanding the legal requirements for patient notification when the breach originates with a vendor.

Risk Assessment: Regular risk assessments should include evaluation of all third-party relationships, particularly those involving payment processing or other services that handle protected health information.

The Radiology Chartered breach demonstrates that healthcare organizations remain vulnerable to cyber incidents even when their own systems are secure. As healthcare continues to rely heavily on third-party vendors for various services, robust vendor management and cybersecurity protocols become increasingly critical for protecting patient information.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.