 |
Patient Protect |
|
HIPAA Pulse |
|
HIPAA PULSE
May 27, 2026 · Bi-Weekly Briefing
|
|
Breached Twice, Reported Late & Why May's Filings Are Mostly Q1
|
A Virginia radiology practice got breached twice in 15 months. The second attack landed within weeks of the first one being reported to federal regulators.
Two weeks ago this briefing covered the DICOM imaging exposure and the Conduent BAA cooperation escalation. Today's lead is a different angle on the same structural problem: Radiology Associates of Richmond just disclosed its second data breach to Maine's Attorney General. The first one — affecting 1.4 million patients in April 2024 — was not reported to HHS until July 1, 2025, roughly 15 months later. HIPAA requires notification without unreasonable delay and no later than 60 days after discovery. The second incident landed on or about July 25, 2025.
Meanwhile, the dashboard's "May filings" tell a different story than the dates suggest. Most are HHS OCR catching up on Q1 incidents — Navia Benefit Solutions and Nacogdoches Memorial both landed federally in May, but were publicly disclosed via state AG filings in March. The Q1 State of Compliance documented OCR's 978-case investigation queue. We're watching it work through that queue in real time. The lag itself is the structural story.
|
|
Stat of the Issue
15 months
between Radiology Associates of Richmond's first breach (April 2024 incident) and its first HHS notification (July 2025). HIPAA's Breach Notification Rule requires HHS notification without unreasonable delay and no later than 60 days after discovery. The second breach occurred on or about July 25, 2025 — roughly three weeks after the first was filed.
|
|
Risk Barometer · What Moved Since May 13
|
Filings This Window
44
Patient Protect dashboard, OCR + State AG
|
Largest Fresh Disclosure
266K
Radiology Associates of Richmond, May 22
|
|
Top Breach Type
Hacking /
IT Incident
38 of 44 filings (86%) in this window
|
Pattern of Note
Repeat
victims
RAR: 2 breaches in 15 months
|
|
|
Breach of Note
Radiology Associates of Richmond
Maine AG filing May 22, 2026 · 266,183 affected · Second breach in 15 months
Radiology Associates of Richmond (RAR) is a Virginia-based imaging practice. On May 22, the practice disclosed a data breach to Maine's Attorney General affecting 266,183 individuals. RAR is now a documented repeat-victim case — the public timeline is what makes it consequential.
RAR's first breach involved an April 2024 incident affecting more than 1.4 million patients and was reported to HHS on July 1, 2025 — roughly 15 months later. HIPAA's Breach Notification Rule requires notification to HHS for 500+ person breaches without unreasonable delay and no later than 60 days after discovery. If discovery occurred materially earlier than the federal filing, that timeline raises obvious Breach Notification Rule questions.
The second breach occurred on or about July 25, 2025 — roughly three weeks after the first incident was filed with HHS. A 15-month delay raises serious questions about whether incident response, breach assessment, and notification governance were functioning as intended. The remediation posture that should follow a major breach is difficult to reconcile with a second incident landing so close to federal disclosure of the first. Slow disclosure is the lagging indicator. Weak incident response may be the deeper risk.
Three questions for your practice: If a breach were discovered today, could you start the 60-day clock with certainty about the discovery date? Is your incident response plan tested, not just written? After your last security incident — even a minor one — did remediation get verified by anyone other than the vendor who caused it? Run the free assessment →
|
|
Three Signals From the Past Two Weeks
Most "May Filings" Are Q1 Catching Up
Look closely at the May filings in our tracked dataset and the dates do not line up with the breach events. Navia Benefit Solutions filed federally on May 17; the actual attack was December 2025 through January 2026, with state AG disclosure in March. Nacogdoches Memorial filed federally on May 18; the attack was January 2026 with state disclosure in March. The pattern extends to earlier 2026 federal filings of incidents that were already publicly disclosed via state AGs months prior. The 978-case OCR investigation queue documented in our Q1 State of Compliance is working through. The lag between attack, state disclosure, and federal filing is the structural pattern — not new May activity at scale.
Repeat-Victim Disclosures Are Becoming Visible
Radiology Associates of Richmond is the cleanest case, but it is not isolated. The repeat-victim pattern shows up across imaging providers, billing services, and small-to-mid practices that experience an incident, declare it remediated, and then experience a second incident before any independent verification confirms the first was closed. OCR's enforcement record indicates that the quality of post-incident documentation — not the controls a practice claims to have — is what shapes the regulatory response when the second incident lands.
The Security Rule Update Is Still Targeted for Final Action
OCR's HIPAA Security Rule update remains in the final-rule stage, with the current federal regulatory agenda listing final action for May 2026. OCR has not yet published the final rule. But the proposed rule already shows the direction of travel: removing the required/addressable distinction, requiring encryption of ePHI at rest and in transit with limited exceptions, requiring MFA with limited exceptions, adding vulnerability scanning at least every six months, and requiring penetration testing at least once every 12 months. Whatever your last risk analysis said, the compliance baseline is moving toward more specific, auditable security evidence.
|
|
30-Minute System Check · Pre-Position for the Proposed Rule
Each item below is either an immediate response to this window's data or a position your practice should already be in if the Security Rule is finalized substantially as proposed.
1 |
Document a breach discovery procedure with a named date-stamper. HIPAA's 60-day notification clock starts at discovery, not at investigation conclusion. The RAR timeline shows why discovery-date governance matters: without a clear trigger, breach response can drift for months. One named person should be responsible for date-stamping any potential breach in writing, the same day the indicator surfaces. |
|
2 |
Verify post-incident remediation independently. If your practice has had any security incident in the past 24 months — even a minor one — confirm that someone other than the vendor who responded to it has documented that remediation is complete. The RAR timeline is a reminder that remediation should not be treated as closed without independent verification. |
|
3 |
Confirm encryption at rest and in transit across every system. If finalized substantially as proposed, the Security Rule would make encryption of ePHI at rest and in transit required with limited exceptions. EHR, billing, backups, email, vendor portals. If anything is unencrypted today, that is this week's project. |
|
4 |
MFA on every authentication surface that touches PHI. EHR, email, vendor portals, billing systems, remote access. The proposed rule would require MFA with limited exceptions. If a single password still gets anyone into a system that holds patient data, that is a finding waiting to happen. |
|
5 |
Schedule your first biannual vulnerability scan. The proposed rule would require vulnerability scanning at least every six months. Commission one in the next 30 days regardless of when the final rule publishes. Document the methodology and findings — the kind of artifact OCR would expect to see. |
|
|
Get Ahead of the Direction of Travel.
The free HIPAA Risk Assessment scopes against the proposed Security Rule language. 30 minutes, no account, produces the kind of documented artifact OCR would expect to see.
|
|
|
What This Points To
The Q1 thesis was that healthcare risk concentrates at a small number of upstream entities. Two more weeks of data show the same pattern, with one update: the lag between attack, discovery, disclosure, and remediation can become part of the risk itself. RAR is the most legible case. The first breach took 15 months to surface federally. The second breach occurred within weeks of that federal filing. That sequence does not prove causation, but it does raise the right operational question: was the first incident fully understood, remediated, and governed before the second one landed? Slow disclosure is the lagging indicator. Weak incident response may be the deeper risk.
For independent practices, the operational message is direct. The breach you are most likely to be named in is not the one that originates in your office. It is the one at a vendor whose name appears on your AP ledger. But the breach that gets you cited by OCR is more likely to be the one you mishandled internally — the slow disclosure, the unverified remediation, the second incident that landed before the first was closed. The proposed Security Rule appears responsive to exactly that pattern. Continuous risk analysis. Mandatory encryption and MFA. The regulatory framework is moving toward where the actual operational risk has been for the last 18 months.
| |
|
Patient Protect
Built for where the Security Rule is headed.
Continuous risk analysis. Vendor inventory. BAA tracking with cooperation language. Encryption posture monitoring. Incident-discovery date-stamping. Audit-ready documentation across every domain the proposed rule names. $39/month, no contracts, 14-day free trial.
|
|
|
Worth Reading
| |
Q1 2026 State of Compliance →
The research paper that established the concentration thesis and documented the 978-case OCR investigation queue. The May filings catching up to Q1 incidents are the operational manifestation of that backlog.
|
|
|
Closing Note
The HIPAA Security Rule update remains targeted for final action in May 2026, but OCR has not yet published the final rule. If it lands on the current regulatory-agenda timeline, the June 10 issue will cover the redline in detail — what changed from the NPRM, what's enforceable when, and what the practical implementation work looks like for an independent practice. If it slips, we'll cover what's actually moving in the breach data instead. Either way, the issue lands every other Wednesday.
Next Pulse drops June 10.
Editorial coverage at hipaapulse.com. Operational response at patient-protect.com/hipaa-pulse. This briefing comes from Patient Protect.
|
|
|
|
