Central Kentucky Radiology (CKR), a radiology services provider based in Lexington, Kentucky, is notifying approximately 167,000 individuals that their personal information was compromised following a data breach that occurred between October 16 and October 18, 2024. The organization discovered the breach after detecting unusual activity and a disruption in its computer network on October 18, 2024.
An internal investigation revealed that an unauthorized actor accessed and copied files from certain CKR systems during the two-day period. The compromised files contained sensitive personal information, including names, addresses, dates of birth, Social Security numbers, dates of medical service, and service charges. This information is classified as both personally identifiable information (PII) and protected health information (PHI), making it highly valuable and potentially dangerous if misused.
CKR completed its review of the stolen files on May 7, 2025, and began notifying affected individuals by mail starting June 12, 2025. The company also reported the incident to relevant authorities, including the U.S. Department of Health and Human Services and several state Attorney General offices. As of now, there is no evidence of actual or attempted misuse of the compromised data, but CKR is notifying affected individuals out of an abundance of caution.
To support those impacted, CKR is offering 12 months of free credit monitoring services through TransUnion’s Cyberscout, which includes credit monitoring, fraud consultation, and identity theft restoration. The organization has also implemented additional security measures and is enhancing employee training to help prevent future incidents.
Affected individuals are encouraged to monitor their credit reports, place fraud alerts or credit freezes, review financial and health insurance accounts for suspicious activity, and be vigilant for phishing scams. Legal firms are investigating the breach and may offer affected individuals the opportunity to join class action lawsuits to seek compensation for potential harm caused by the data exposure.
