North Carolina’s Business Court is currently handling multiple putative class action lawsuits against Triad Radiology Associates, a Winston Salem-based imaging practice, following a significant data breach that exposed personal information on approximately 11,000 patients. The cases, filed around March 26, 2026, represent a growing trend of litigation targeting healthcare imaging providers for cybersecurity failures—and they’re being prosecuted by Pittsburgh-based law firm Lynch Carpenter, which is investigating claims on behalf of affected patients.
The Triad Radiology breach occurred between July and September 2025, stemming from suspicious activity detected in an employee’s email account. That breach exposed names, addresses, Social Security numbers, bank account information, and other sensitive personal data—the kind of information that puts patients at serious risk for identity theft and financial fraud. Understanding what went wrong at Triad, how the litigation is progressing, and what patients can expect from the lawsuits is essential for anyone affected by this breach.
Table of Contents
- What Is the Triad Radiology Data Breach and Why Did It End Up in NC Business Court?
- How Many Patients Were Affected and What Data Did They Lose?
- What Evidence of Negligence Are the Lawsuits Presenting?
- What Can Affected Patients Expect from the Litigation Process?
- How Does the Triad Case Compare to the Eastern Radiologists Settlement?
- What Should Patients Affected by the Triad Radiology Breach Do Right Now?
- Why Are Imaging Practices Becoming Targets for Data Breaches?
What Is the Triad Radiology Data Breach and Why Did It End Up in NC Business Court?
On February 6, 2026, Triad Radiology Associates reported the data breach to the HHS Office for Civil Rights, officially notifying the federal government that a cybersecurity incident had compromised patient data. This wasn’t a sophisticated nation-state attack or a ransomware operation—it was the result of suspicious activity in a single employee’s email account that went undetected for months. Between July and September 2025, someone gained unauthorized access to that employee’s account, which contained a treasure trove of patient information including names, addresses, Social Security numbers, and bank account details.
The breach landed in NC Business Court rather than state court because multiple law firms filed coordinated putative class actions, and the Business Court’s specialized docket handles complex commercial litigation. Some of the lawsuits also named the hospitals and medical centers that partner with Triad as co-defendants, which further elevated the stakes. The case exemplifies a pattern that’s becoming increasingly common in healthcare: patient data breaches at third-party providers that create liability cascading through the entire healthcare ecosystem.
How Many Patients Were Affected and What Data Did They Lose?
The breach touched approximately 11,000 patients—a substantial number, though smaller than some other healthcare data breaches. For context, the Eastern Radiologists data breach that settled in 2025 affected 886,746 patients, making the Triad case a mid-size incident by healthcare standards. However, size doesn’t determine impact; what matters is what information was exposed and how quickly patients found out.
The data compromised in the Triad breach included names, addresses, Social Security numbers, bank account numbers, and other personal information. This is the worst-case scenario for data exposure because Social Security numbers and bank account information enable identity theft and financial fraud. The breach window itself—July through September 2025—means some patients may have been at risk for months before notification in February 2026. However, if you were affected, the sooner you place a fraud alert with the credit bureaus or enroll in identity theft monitoring, the more quickly you can catch unauthorized activity.
What Evidence of Negligence Are the Lawsuits Presenting?
The presence of multiple class actions in NC Business Court suggests the legal teams believe they can establish that Triad Radiology failed to implement adequate security measures. A breach caused by suspicious activity in a single employee’s email account raises serious questions about access controls, account monitoring, and incident response protocols. Why wasn’t the suspicious activity detected sooner? Did Triad have multi-factor authentication enabled? Were there alerts configured to flag unusual access patterns? These are the kinds of questions that plaintiffs’ attorneys are pursuing.
The fact that partnering hospitals are being named as co-defendants indicates the lawsuits are exploring whether those institutions should have required stronger security standards from their imaging vendors. This is an important limitation of third-party vendor breaches: patients may have little visibility into the cybersecurity practices of companies handling their data on behalf of their primary care providers. Unlike a breach at your hospital or doctor’s office, where you might reasonably expect certain security standards, breaches at imaging practices can happen in the shadows of the healthcare system.
What Can Affected Patients Expect from the Litigation Process?
Class action lawsuits against healthcare providers typically follow a predictable path: discovery (where both sides exchange documents and information), possible settlement negotiations, and either a settlement or trial. The presence of Lynch Carpenter, an experienced law firm handling the investigation, suggests the plaintiffs have retained competent counsel. However, litigation timelines are long—even relatively straightforward cases take two to four years to reach resolution.
The most relevant precedent is the Eastern Radiologists data breach settlement, which was preliminarily approved in July 2025 and received final approval in December 2025. That settlement provided $3.25 to $3.35 million in total compensation for 886,746 affected patients—amounts that break down to roughly $3-4 per person for documented losses, plus one year of credit monitoring and identity theft protection services. It’s important to note that settlement compensation in data breach cases is typically modest because the actual financial harm is often difficult to prove; the lawsuit is primarily about holding the defendant accountable for negligence rather than recovering large sums.
How Does the Triad Case Compare to the Eastern Radiologists Settlement?
The Eastern Radiologists settlement offers the most direct comparison because it also involved unauthorized access at an imaging practice. In that case, the breach was detected on November 24, 2023, after unauthorized access occurred between November 20-24, 2023—a much shorter exposure window than Triad’s three-month breach period. Eastern Radiologists settled the case for $3.25-$3.35 million, affecting 886,746 patients, which worked out to minimal individual compensation but did establish that patients had a legal claim.
One key difference: the Eastern Radiologists breach compromised names, Social Security numbers, driver’s licenses, financial account information, insurance details, medical procedures, diagnoses, and imaging results. The Triad breach appears to have exposed similar categories of data. The claim deadline for Eastern Radiologists was December 1, 2025, meaning patients had a limited window to file claims. If the Triad case settles on a similar timeline, affected patients may have only a few months to gather documentation and submit their claims for compensation.
What Should Patients Affected by the Triad Radiology Breach Do Right Now?
If you received notification that you were affected by the Triad Radiology data breach, your first step is to place a fraud alert with the three major credit bureaus—Equifax, Experian, and TransUnion. A fraud alert is free and tells creditors to verify your identity before opening new accounts in your name. You should also check your credit reports for unauthorized accounts or inquiries. Many data breach settlements include free credit monitoring and identity theft protection, so look for those services in the notification you received from Triad or watch for updates from the defendant as the litigation progresses.
Second, gather documentation if you can show that you’ve already suffered identity theft or fraud related to the breach. The Eastern Radiologists settlement compensated documented losses, and the Triad settlement will likely do the same. Keep copies of fraudulent accounts, unauthorized charges, credit reports showing unauthorized inquiries, and any communications with credit card companies or banks. Even if you haven’t been victimized yet, establishing a paper trail now will make it easier to prove your case later if fraud does occur.
Why Are Imaging Practices Becoming Targets for Data Breaches?
Healthcare imaging practices like Triad and Eastern Radiologists have become increasingly attractive targets for cybercriminals because they sit at the intersection of two valuable assets: patient data and payment information. Radiology centers handle images and diagnostic reports that are combined with patient demographics, insurance information, and billing records. Unlike a hospital, which typically has larger IT departments and enterprise-grade security, many imaging practices operate with smaller IT teams and tighter budgets—making them more vulnerable to email-based attacks like the one that compromised Triad’s employee account.
The trend suggests patients should expect more of these cases going forward, particularly as healthcare delivery becomes increasingly distributed across networks of independent practices. The litigation landscape is also evolving; early settlements like Eastern Radiologists are establishing legal precedents that make it easier for future cases to succeed. This may provide stronger incentives for imaging practices to invest in better cybersecurity, though there’s a lag between legal accountability and actual security improvements.