Multiple class action lawsuits against Triad Radiology Associates PLLC have been filed in North Carolina Business Court following a significant data breach affecting approximately 11,000 patients. The Winston-Salem-based radiology practice notified affected individuals of the breach on February 8, 2026, after discovering that unauthorized individuals had accessed sensitive patient information between July and September 2025.
The breach represents one of the more serious healthcare data security incidents in the state in recent years, given the scale of affected individuals and the types of personal information exposed. Beyond the immediate privacy concerns, the class actions highlight broader questions about healthcare data security practices and the responsibilities of medical facilities to protect patient information from cyber threats.
Table of Contents
- What Information Did the Triad Radiology Data Breach Expose?
- The North Carolina Business Court Class Actions and Timeline
- What Personal Harm Can Result From This Type of Data Breach?
- What Are Patients’ Rights and Options in These Class Actions?
- Data Security Obligations and Hospital Partnership Liability
- Lessons From Similar Healthcare Data Breaches
- What Comes Next in North Carolina Business Court Litigation
What Information Did the Triad Radiology Data Breach Expose?
The compromised data included names, addresses, Social Security numbers, bank account information, and other personal identifying details belonging to approximately 11,000 patients. This combination of information is particularly dangerous because it provides criminals with what they need to commit identity theft, open fraudulent accounts, or conduct financial fraud. For instance, a bad actor with someone’s SSN and bank account number can attempt unauthorized transfers or apply for credit in that person’s name.
Triad Radiology Associates engaged a third-party investigator to assess the full scope of the breach after discovering the unauthorized access. The fact that a healthcare practice needed external expertise to understand the extent of the compromise underscores a common issue in the healthcare sector: many medical facilities lack the in-house expertise to rapidly identify and contain sophisticated cyber intrusions. The investigation confirmed the July-to-September 2025 timeframe for when unauthorized individuals accessed the systems, with the infiltration beginning around late July.
The North Carolina Business Court Class Actions and Timeline
The class action lawsuits were filed in March 2026 in North carolina Business Court, naming Triad Radiology Associates PLLC and some hospital partners of the radiology practice as defendants. Multiple putative class actions were filed, meaning different law firms have brought separate but related claims on behalf of affected patients. Lynch Carpenter, a Pittsburgh-based law firm, is among the firms representing class members in these cases.
However, filing in business court rather than civil court can affect the pace and dynamics of litigation. Business courts typically handle cases involving business-to-business disputes and complex commercial matters, though they increasingly see healthcare and data breach cases. The defendants have not yet filed public responses to the complaints at this stage, so the legal arguments and defenses have not been fully laid out. Plaintiffs’ counsel will need to establish that the defendants failed to maintain reasonable security measures to protect patient data.
What Personal Harm Can Result From This Type of Data Breach?
Patients affected by the Triad Radiology breach face concrete risks of identity theft and financial fraud. With SSNs and bank account information in the hands of unauthorized parties, affected individuals are vulnerable to fraudulent credit applications, unauthorized bank transfers, tax return fraud, and opening of accounts in their names. The emotional and financial toll of identity theft recovery can take months or years.
Additionally, patients may face ongoing risk if stolen information appears in the dark web or is sold among criminal networks. Even if criminals don’t immediately use the information, the exposure may have a long tail—some individuals discover identity theft attempts years after the initial breach. This uncertainty is why class action lawsuits in data breach cases often seek damages for future identity theft monitoring services, emotional distress, and actual fraud losses.
What Are Patients’ Rights and Options in These Class Actions?
Individuals affected by the Triad Radiology breach should monitor communications from the defendants and any settlement notices that may be issued as the litigation progresses. Class members generally have the right to submit claim forms if a settlement is reached, and courts must approve any settlement to ensure it adequately compensates affected individuals. Some class actions result in cash payments; others provide free credit monitoring services; many provide both.
A key tradeoff exists in class litigation: settlements often require class members to waive their right to sue independently. In exchange, they receive compensation from a settlement fund that doesn’t require proving individual damages. For major identity theft issues already discovered, some individuals might prefer to opt out and pursue individual claims, though this carries significant legal expenses. Most affected patients benefit from remaining in the class and accepting a settlement rather than bearing the cost of individual litigation.
Data Security Obligations and Hospital Partnership Liability
Healthcare facilities have a legal obligation under HIPAA and state data protection laws to maintain reasonable security measures to protect patient information. The inclusion of hospital partners as defendants in these class actions suggests that plaintiffs’ counsel believes the hospital partnerships may share responsibility for the breach or failed to ensure adequate security standards among their affiliated providers. Healthcare networks often have contractual obligations to maintain security standards across all affiliated entities.
However, determining liability among multiple defendants can be complex. A hospital partner might argue that the radiology practice, as an independent entity, was solely responsible for its own cybersecurity. Conversely, plaintiffs may argue that hospitals that contract with radiology practices have obligations to ensure those partners maintain adequate security—or face liability for failing to oversee their partners. Discovery in the litigation will likely reveal internal communications about security investments and breach response protocols.
Lessons From Similar Healthcare Data Breaches
Healthcare data breaches have become increasingly common as medical practices digitize records and connect to larger networks. Similar cases have involved imaging centers, dental practices, and specialty clinics where patient data was exposed through inadequate cybersecurity.
The common thread in many successful class actions is evidence that the organization knew (or should have known) about security vulnerabilities but failed to implement fixes before a breach occurred. For Triad Radiology, the presence of a third-party investigator’s involvement and the prompt notification to patients (within approximately six months of the breach discovery) are factors that could influence settlement negotiations. Organizations that delay notification or try to minimize the scope of a breach often face larger settlements and greater reputational damage.
What Comes Next in North Carolina Business Court Litigation
The coming months will likely see motions practice, where defendants challenge the adequacy of class definitions and the sufficiency of plaintiffs’ claims. If cases survive motions to dismiss, discovery will begin—the process where both sides exchange documents and take depositions. In healthcare data breach cases, discovery typically focuses on the organization’s security policies, patch management practices, employee training records, and communications about known vulnerabilities.
Settlement discussions often accelerate once discovery reveals the strength of each side’s evidence. Many healthcare data breach cases settle rather than proceed to trial, with settlement amounts typically ranging from tens of thousands to low millions of dollars depending on class size and actual damages proven. The Triad Radiology cases will likely follow this pattern, with resolution expected sometime in 2026 or 2027.