When it comes to cybersecurity investments for small medical practices, a significant portion is based on faith rather than tangible evidence. The firewall, IT vendor, monitoring service, and even the fractional security officer, all operate in relative obscurity until something goes wrong. Recently, Radiology Associates of Richmond, Virginia, experienced just such an event, highlighting the hidden risks that small practices face today.
On May 21, 2026, Radiology Associates began mailing breach notifications to approximately 266,183 patients. The cyberattack occurred on July 25, 2025, with confirmation of stolen Protected Health Information (PHI) on April 6, 2026. For a staggering nine months, the practice remained unaware of the breach, a situation that underscores the need for proactive cybersecurity measures. Unfortunately, this incident marked a second breach in under two years.
A breach signifies the end of the uncertainty and shifts accountability from the IT vendor to the practice itself. The class action lawsuit does not cite the firewall as the culprit; instead, patients affected by identity theft are reaching out to the practice for an update.
The piece you can control
One element that medical practice owners can control directly is workforce cybersecurity training. Unlike other cybersecurity infrastructure aspects, owners can personally verify its effectiveness. They can monitor who completes the training, review the modules, and even assess their team’s readiness through mock scenarios and role-playing exercises. By ensuring front desk staff know how to respond to suspicious calls claiming to be from IT, and by educating clinicians on reporting procedures for unexpected workstation behavior, medical practices can bolster their defenses against potential intrusions.
Roughly 80% of all healthcare breaches involve a human element. That is a statistic that effective training can mitigate. Our 2026 Cybersecurity Training for Healthcare Professionals consists of twenty modules designed to address common cyber threats. These include phishing, social engineering, zero trust for unscheduled requests, and staff reporting habits that bridge the gap between attacker arrival and detection.
The Radiology Associates story is not unique. It serves as a cautionary reminder about the persistence of cyber threats, even after implementing new technology solutions. Remember, replacing technology does not change behavior. Staff training does. It is the only line item on your security budget where you can verify that the change you paid for has been achieved.
Investing in your team’s cybersecurity training is an investment in your practice’s future. By empowering your employees with the knowledge they need to identify and respond to threats, you create a culture of vigilance that protects your patients, your data, and your reputation.
