Breach Details and Impact
Lumexa Imaging, a major medical imaging service provider, disclosed a data breach after a vendor security incident exposed patient information. The diagnostic imaging provider was notified by its vendor on April 9, 2026, about suspicious activity within a portion of the vendor’s computer network. Lumexa Imaging promptly disconnected its systems from the vendor environment upon learning of the incident.
An investigation confirmed that an unauthorized actor had access to the vendor’s systems between March 31, 2026, and April 9, 2026. On April 15, 2026, Lumexa Imaging learned that documents associated with its affiliated radiology practices may have been viewed or obtained by the unauthorized party through the vendor connection.
Exposed Data
The compromised information varied by individual and document, potentially including patient names, dates of birth, addresses, phone numbers, patient account numbers, insurance details, and clinical information such as diagnoses and visit dates related to radiology services. For a subset of patients, Social Security numbers were also exposed.
Notification letters were sent to affected individuals by mail in May 2026. The breach affected at least 2,994 individuals, according to Lumexa Imaging’s disclosure to regulators.
Vendor Risk Lessons
This incident highlights the vulnerability of radiology and diagnostic networks, which often handle large volumes of protected health information (PHI) but may rely on third-party vendors with limited cybersecurity resources. Lumexa Imaging’s vendor has reportedly taken steps to secure its systems, including scrubbing and validating affected systems and implementing additional cybersecurity monitoring tools.
For healthcare CISOs and compliance officers, this breach underscores the importance of thorough vendor risk assessments and contractual security obligations, including encryption requirements and incident notification timelines.
Source: Hipaajournal
