Triad Radiology Breach Exposes 11,000; Notification Delayed Months

WINSTON-SALEM, NC – May 05, 2026 – Triad Radiology Associates (TRA) has disclosed a major data security incident that exposed the sensitive personal and medical information of approximately 11,000 individuals. The breach, which stemmed from an employee's compromised email account, occurred in July 2025, but the Winston-Salem-based practice waited more than six months before beginning to directly notify affected patients, a delay that raises significant questions about compliance with federal health privacy laws.

The compromised data is extensive and, according to the company's notice, may include patient names, addresses, Social Security numbers, driver's license numbers, bank account details, dates of birth, medical information, and health insurance information. The breach not only affects patients of TRA but also individuals who received care at other medical facilities that use Triad Radiology for imaging services, highlighting the cascading risks within the interconnected healthcare system.

A Timeline Under Scrutiny

According to the press release issued by TRA, the company first discovered “suspicious activity” in an employee email account on July 30, 2025. However, direct notifications to the thousands of impacted individuals did not commence until February 11, 2026, roughly 196 days later. This timeline appears to be in direct conflict with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

HIPAA mandates that healthcare providers must notify affected individuals of a data breach “without unreasonable delay” and in no case later than 60 calendar days following the discovery of a breach. For breaches impacting 500 or more people, the U.S. Department of Health and Human Services (HHS) must also be notified within that same 60-day window. TRA reported the incident to HHS on February 6, 2026, approximately 191 days after the discovery date.

While TRA stated that a “thorough review” to identify the scope of the data was not completed until December 10, 2025, privacy experts emphasize that the 60-day notification clock starts when the breach is first known or reasonably should have been known, not when an internal investigation concludes. “The 60-day timeframe is a critical protection for individuals, giving them the chance to take immediate steps to mitigate potential harm like identity theft or fraud,” noted one privacy law analyst. “Waiting for a full forensic analysis is not considered a valid reason under the law to postpone the core notification.”

Sensitive Data and Widespread Risk

The range of information exposed in the breach creates a significant risk of financial fraud and identity theft for the 11,000 people affected. The combination of Social Security numbers, driver's licenses, and bank account information is particularly potent for criminals seeking to open fraudulent accounts or commit other forms of identity theft.

In its public notice, TRA stated it “does not have any evidence that the information has been actually viewed or misused.” However, cybersecurity experts caution that this provides little comfort. Under HIPAA, any unauthorized access to protected health information is presumed to be a reportable breach unless the organization can demonstrate a low probability of compromise. The absence of known misuse does not guarantee that data has not been stolen or that it will not be exploited in the future.

In acknowledgment of the potential danger, TRA is offering complimentary credit monitoring services to affected individuals. The company also encourages patients to “monitor their account statements and explanation of benefits forms for suspicious activity.” The breach’s impact extends beyond TRA's direct patient base, as the practice provides services for nine hospitals and over a dozen outpatient locations. This means patients who never directly visited a TRA facility may have had their data exposed, complicating the notification and remediation process.

Regulatory and Legal Fallout Begins

TRA has officially reported the incident to the HHS Office for Civil Rights (OCR), the primary enforcer of HIPAA. A breach of this magnitude, coupled with a significant notification delay, is highly likely to trigger a formal OCR investigation. Such investigations often scrutinize not only the breach itself but the organization's overall security posture and compliance program.

Failure to comply with HIPAA's Breach Notification Rule can result in substantial financial penalties, which are tiered based on the level of culpability and can reach over $2 million per violation category per year. The company has also notified applicable state regulators, including the North Carolina Attorney General's office, which enforces the state's own data breach laws.

Beyond regulatory fines, Triad Radiology is already facing legal challenges. At least one law firm has publicly announced it is investigating the incident and seeking to organize a class-action lawsuit on behalf of affected patients. This follows a growing trend in the healthcare sector, where data breaches frequently lead to costly litigation. For instance, another radiology group recently agreed to a multi-million dollar settlement in a lawsuit following a similar data breach, setting a precedent for the potential financial consequences TRA may face.

In response to the incident, TRA has established a toll-free call center at 1-800-405-6108 to answer questions and stated it has “worked with third-party specialists to investigate and implement additional security measures within its network.” For the thousands of affected individuals, however, the focus now shifts to protecting their identities while the full regulatory and legal consequences of the breach and its delayed disclosure continue to unfold.