Associated Radiologists of the Finger Lakes reports network breach

The New York imaging provider is investigating unauthorized access that may have exposed patient and employee data.

What happened

Associated Radiologists of the Finger Lakes, P.C. disclosed a data security incident after detecting suspicious activity on its network on October 30, 2025. The organization determined that an unauthorized party accessed a limited portion of its systems between October 28 and October 30, during which certain files may have been accessed or copied without permission. In a public notice, the practice said that “information privacy and security are among ARFL’s highest priorities” and that it “moved quickly to investigate and respond to the incident, assess the security of its systems, restore functionality to its IT network, and undertake the processes needed to notify potentially affected individuals.” The incident prompted parts of the network to be taken offline while third-party cybersecurity specialists conducted an investigation. ARFL also confirmed that it reported the incident to the Federal Bureau of Investigation and relevant federal data privacy regulators, adding that it is “reviewing and enhancing its technical, administrative, and physical safeguards” and remains committed to “maintaining timely and transparent communication with our community.”

Going deeper

The practice said the information potentially involved varies by individual and includes both personally identifiable information and protected health information. Data under review may include names, addresses, dates of birth, medical record numbers, full or partial Social Security numbers, and clinical details such as treatment information, prescribing providers, and insurance data. The organization is conducting a detailed file-level review to determine exactly what information was involved and which individuals are affected. Direct notifications will be issued once that process is complete, as required under federal and state privacy rules.

What was said

Associated Radiologists of the Finger Lakes said it is taking the matter seriously and has established a dedicated assistance line for individuals with questions. The organization advised potentially affected individuals to remain alert for signs of identity theft or fraud, review account statements, and monitor credit reports. It also recommended considering fraud alerts or credit freezes through major credit bureaus and reporting any suspected misuse to financial institutions, insurers, healthcare providers, or law enforcement.

The big picture

Paubox’s 2025 Mid-Year Email Breach Report shows that small and mid-sized healthcare organizations remain among the most vulnerable to cyber threats. With fewer internal security resources and a strong dependence on third-party vendors, these providers face increased exposure to email-based attacks and network intrusions. Incidents affecting tens or even hundreds of thousands of records are no longer unusual, making it clear that cyber risk is not limited to large hospital systems.

FAQs

Why are radiology and imaging practices common targets?

They handle high volumes of clinical images and reports that are integrated across hospital and outpatient systems, which increases the amount of sensitive data stored on networked platforms.

Does a short access window reduce patient risk?

Not necessarily. Even brief access can allow copying of large numbers of files, especially when systems are not segmented.

When will affected individuals be notified?

Notifications are expected after the organization completes its file review and confirms which individuals’ information was involved.

What should patients watch for after an incident like this?

Unfamiliar medical bills, insurance claims they did not authorize, or financial account activity that does not match their records.

Is credit monitoring always offered after healthcare breaches?

It depends on the type of information involved and organizational policy. Some providers offer monitoring services, while others provide guidance on self-monitoring and fraud protection steps.