RFK Racing Data Breach: 13,632 Victims in Healthcare Network Hack

Roush Fenway Keselowski Racing, LLC, operating as RFK Racing, has reported a significant data breach affecting 13,632 individuals after unauthorized access to their network systems. The NASCAR team organization, which operates as a health plan in North Carolina, disclosed the cybersecurity incident to the U.S. Department of Health and Human Services on September 12, 2025.

What Happened

On May 14, 2025, RFK Racing discovered that an unauthorized party accessed and copied certain information from its network server. The breach was classified as a hacking/IT incident targeting the organization's network infrastructure.

The incident represents a significant cybersecurity failure that compromised both personally identifiable information (PII) and protected health information (PHI) of thousands of individuals. RFK Racing learned of the unauthorized access months before reporting it to federal authorities, raising questions about the timeline of their incident response.

Who Is Affected

The breach impacted 13,632 total victims, with at least 2,160 individuals having their protected health information compromised under HIPAA regulations. This discrepancy in numbers suggests that while the broader breach affected over 13,000 people, a subset of 2,160 individuals had their healthcare data specifically compromised.

As RFK Racing operates as a health plan entity in North Carolina, the affected individuals likely include employees, their family members, and other beneficiaries covered under the organization's health benefits programs.

Breach Details

According to the breach notification filed with HHS:

• Entity: Roush Fenway Keselowski Racing, LLC (RFK Racing)
• Location: North Carolina
• Entity Type: Health Plan
• Breach Classification: Hacking/IT Incident
• Attack Vector: Network Server
• Discovery Date: May 14, 2025
• Reporting Date: September 12, 2025
• Total Affected: 13,632 individuals
• HIPAA-Covered Individuals: 2,160

The breach involved data exfiltration, meaning attackers not only accessed the information but also copied it from RFK Racing's systems. This type of incident poses ongoing risks as the stolen data could be sold on dark web markets or used for identity theft.

Notably, no business associate was involved in this breach, indicating the vulnerability existed within RFK Racing's own network infrastructure rather than through a third-party vendor.

What This Means for Patients

Under HIPAA's Breach Notification Rule (45 CFR §164.404-414), covered entities like health plans must notify affected individuals when their PHI is compromised. The regulation requires notifications to be sent within 60 days of breach discovery.

For the 2,160 individuals whose protected health information was compromised, this breach could expose:

• Medical records and treatment history
• Health insurance information
• Social Security numbers
• Contact information and demographics
• Employment-related health data

The four-month delay between discovery (May 14) and HHS reporting (September 12) raises concerns about RFK Racing's compliance with HIPAA's notification requirements. Organizations must report breaches to HHS within 60 days of discovery under 45 CFR §164.408.

Legal Action and Response

Strauss Borrelli PLLC, a leading data breach law firm, has announced they are investigating RFK Racing regarding this incident. This investigation suggests potential class action litigation may be forthcoming, which is common in large-scale data breaches affecting thousands of individuals.

The law firm's involvement indicates they believe affected individuals may have grounds for legal action based on:

• Delayed breach notification
• Inadequate cybersecurity measures
• Potential HIPAA violations
• Failure to protect sensitive personal and health information

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

Monitor Your Accounts

• Review all financial statements for unauthorized transactions
• Check credit reports from all three bureaus (Experian, Equifax, TransUnion)
• Monitor health insurance statements for fraudulent medical claims

Enhance Security Measures

• Place fraud alerts on your credit reports
• Consider credit freezes to prevent new account openings
• Update passwords for all online accounts, especially healthcare portals
• Enable two-factor authentication where available

Stay Vigilant for Fraud

• Watch for phishing emails claiming to be from RFK Racing or related entities
• Be suspicious of unsolicited calls requesting personal information
• Report suspicious activity to the Federal Trade Commission

Document Everything

• Keep records of all communications regarding the breach
• Save copies of credit reports and monitoring services
• Track any costs incurred due to identity theft or fraud

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity gaps that other healthcare organizations must address:

Network Security

• Implement robust network segmentation to limit breach scope
• Deploy advanced threat detection systems
• Conduct regular penetration testing to identify vulnerabilities
• Maintain updated security patches across all systems

HIPAA Compliance

• Develop comprehensive incident response plans per 45 CFR §164.308(a)(6)
• Ensure timely breach notification within required timeframes
• Conduct regular risk assessments as required by 45 CFR §164.308(a)(1)
• Train staff on cybersecurity best practices and HIPAA requirements

Access Controls

• Implement principle of least privilege access
• Use multi-factor authentication for all system access
• Monitor user activity for suspicious behavior
• Regularly review and update access permissions

Regulatory Implications

The four-month delay in reporting this breach to HHS could result in significant penalties. HIPAA violation fines can range from $100 to $50,000 per violation, with maximum annual penalties reaching $1.5 million per violation category.

The Office for Civil Rights (OCR) may investigate whether RFK Racing:

• Failed to implement required safeguards
• Delayed proper breach notification
• Conducted adequate risk assessments
• Maintained appropriate incident response procedures

Moving Forward

This incident serves as a stark reminder that cybersecurity threats affect all types of healthcare entities, including those in non-traditional healthcare sectors like sports organizations offering health benefits.

For affected individuals, staying vigilant and taking proactive protective measures is essential. The potential for identity theft and medical fraud remains elevated following any healthcare data breach.

Healthcare providers must recognize that HIPAA compliance is not optional and that cybersecurity investments are critical to protecting patient data and avoiding costly breaches.

Learn how HIPAA Agent can help protect your practice.