A military veteran with an anxiety disorder had her medications, diagnoses, and Social Security number stolen by hackers — and the companies responsible waited eight months to tell her, during which time her doctor was forced to increase her dosage to manage the anxiety the breach itself caused.

This is the story of two companies in Chattanooga, Tennessee — Specialty Networks, LLC, a radiology software provider, and Prime Imaging, LLC, a radiology medical practice — that stored the intimate health secrets of more than 400,000 patients without basic encryption, without adequate monitoring systems, and without any functioning incident response plan. When hackers came calling on December 11, 2023, they found an open door.

What followed was one of the more brazen examples of corporate negligence in the ongoing healthcare data breach epidemic: silent systems that failed to alert security staff, a months-long delay in notifying victims, and data so sensitive that the law treats it as nearly impossible to remediate once stolen. The complaint filed in federal court paints a damning picture of two companies that collected intimate patient data as a condition of receiving medical care — then treated protecting that data as an afterthought.

Eight Months of Silence While Your Data Sold

Hackers infiltrated Specialty Networks’ systems on or around December 11, 2023. The company discovered the intrusion on December 18, 2023. By May 31, 2024, Specialty Networks had confirmed that patients’ personal and protected health information was involved. The company sent breach notification letters beginning August 15, 2024. The math is simple: patients who deserved to know in December 2023 were left in the dark until August 2024.

That eight-month gap is a violation of the HIPAA Breach Notification Rule, which requires covered entities to notify affected individuals “without unreasonable delay and in no case later than 60 days following discovery of the breach.” Specialty Networks blew past that 60-day deadline by more than six months. Every day of delay was another day victims could not freeze their credit, monitor their insurance accounts, or alert their banks.

The hackers’ entry was, according to the complaint, invisible to Specialty Networks because the company lacked basic security infrastructure. Reconnaissance, file location mapping, and mass data exfiltration all happened without triggering a single alarm. The complaint states these are standard, “noisy” hacker activities that any reasonable cybersecurity program would have detected immediately.

Everything You Never Wanted Strangers to Know

The stolen data was comprehensive in the worst possible way. According to the breach notification letters sent to plaintiffs, the exfiltrated information included names, dates of birth, driver’s license numbers, Social Security numbers, medical record numbers, treatment and condition information, diagnoses, medications, and health insurance information. This is the complete picture of a human life.

This data carries a specific danger that a credit card breach does not. A stolen credit card can be cancelled in minutes. A stolen Social Security number, diagnosis, or date of birth cannot be changed. Criminals and identity brokers treat this permanence as a feature. The complaint cites cybersecurity expert Martin Walter of RedSeal: personal health information is “worth more than 10x on the black market” compared to standard credit card data. The U.S. Government Accountability Office has confirmed that stolen health data can be held and weaponized for a year or more before victims ever see the first fraudulent charge.

The Data Was Left Unencrypted — By Choice

The complaint is explicit: Specialty Networks stored patient data without encryption and without redaction. This is not a technical failure that snuck up on the company. Encryption is a mandatory baseline requirement under HIPAA. The FTC’s published guidelines for businesses specifically name encryption as a core obligation. Specialty Networks ignored both. The complaint states the company “failed to adequately protect Plaintiffs’ and Class Members’ Private Information and failed to encrypt or redact this highly sensitive information.”

The complaint further argues Defendants failed to implement logging tools, monitoring systems, endpoint detection software, data loss prevention tools, or centralized security alerts. These are described as standard components of any reasonable cybersecurity program. The hackers did not need sophisticated tools to succeed. They needed Specialty Networks to stay exactly as unprepared as it was.

The Damage That Doesn’t Show Up in a Settlement

Dana Jones served in the military. She came home carrying an anxiety disorder, for which she was receiving treatment at the VA. She trusted her medical providers with her diagnosis, her medications, her child’s health records, and her Social Security number because she had no choice. The law required her to hand over this information as a condition of receiving medical care. Specialty Networks stored it all without encryption. When she received her breach notification letter in August 2024 — eight months after her data was stolen — her anxiety disorder worsened measurably. Her VA doctor prescribed new medications and increased her dosage specifically because of the breach. Specialty Networks caused a clinical deterioration in a veteran’s mental health and told her about it eight months after the fact.

Ann Lovell, a former Prime Imaging patient, received her notification letter on August 15, 2024. The complaint describes what followed in specific, concrete terms: fraudulent transactions appeared on her bank account. She spent her own time calling her bank, fighting for reimbursements, ordering a new debit card, and updating all her payment information across every account. The charges were eventually reimbursed, but the time, the stress, and the emotional labor were not. She is also experiencing anxiety, embarrassment, sleep disruption, stress, and fear — symptoms the complaint acknowledges go beyond inconvenience and constitute recognized legal injury. Her sensitive information remains inside Defendants’ systems, still without adequate protection, right now.

Matthew Hammond’s son, R.H., is a minor. A child’s data — Social Security number, date of birth, medical records — was stored by Specialty Networks and stolen by criminals who made a business of it. Hammond cannot even verify whether his son has experienced fraud yet because R.H. is too young to have accounts. The complaint is frank about the horror of this: criminals may hold stolen child identity data for years, deploying it only when the child is old enough to apply for credit, a job, or a student loan. R.H. faces a compromised financial identity before he has ever had one. Specialty Networks held his data without encryption and gave his father eight months of silence instead of a warning.

Richard Cohen, a software engineer who understands data security better than most, spent four to five hours every single week in the aftermath of the breach monitoring accounts, verifying the breach, and managing the fallout. That is time carved out of his professional and personal life, week after week, indefinitely, because two companies in Chattanooga decided that basic cybersecurity tools were optional. The complaint notes that even Cohen — someone who knows the landscape — cannot fully protect himself because his information is still sitting inside Defendants’ systems, unencrypted, right now, subject to future unauthorized disclosures at any moment.

Straight From the Filing: The Most Damning Passages

The Ripple Effects That Outlast Any Lawsuit

Public Health: When Your Medical Records Become a Weapon

Medical identity theft is not abstract. When a criminal uses your stolen health records to receive medical treatment or prescription drugs, their treatment history merges with yours. A mismatched blood type, a fabricated allergy, a fraudulent diagnosis can all end up embedded in your permanent medical file. The California Attorney General’s Office warns plainly: “If the thief’s medical treatment or diagnosis mixes with your treatment or diagnosis, your health is at risk.” This means the breach Specialty Networks allowed to happen does not just create financial risk — it creates physical danger at every future doctor’s visit.

The data stolen here includes medication information and diagnoses. These are not neutral facts. A stolen diagnosis can be used to fraudulently bill insurance for treatments never received, driving up the victim’s premiums or eliminating their coverage entirely. The complaint cites an Experian study finding that almost half of medical identity theft victims lose their health care coverage as a result of the incident, while nearly one-third see their insurance premiums rise. Forty percent are never able to resolve their identity theft at all. For lower-income patients, losing health coverage is a medical crisis in itself.

The psychological harm is equally serious and well-documented. Research cited in the complaint found that nearly 85% of data breach victims reported disturbances in their sleep habits, 77% reported increased stress levels, and nearly 64% had trouble concentrating. Aches, pains, headaches, and cramps affected nearly 57%. These are not minor inconveniences. For a veteran already managing an anxiety disorder, as with plaintiff Dana Jones, these effects compound on a pre-existing clinical condition. The breach did not merely expose data. It re-injured a person who had already given enough.

Economic Inequality: The People Who Can Least Afford This Pay the Most

The average cost of medical identity theft is approximately $20,000 ($20,000 is roughly six months of take-home pay for a minimum-wage worker, or more than what most Americans have saved for emergencies) per incident, according to Experian research cited in the complaint. That number assumes victims can pay it. Many cannot. The people seeking radiology services at practices like Prime Imaging are overwhelmingly working-class and middle-class families. They gave their information as a condition of getting care they needed. They had no ability to opt out, negotiate, or choose a provider with better security. The power imbalance was total.

The complaint notes that cybersecurity investment in healthcare “tends to lag behind other industries,” with the sector spending only 6% of its overall IT budget on security. Meanwhile, healthcare data breaches cost more than in any other industry and have increased for thirteen consecutive years. The companies collecting and profiting from patient data are making a deliberate choice to under-invest in protecting it. The victims of that choice are the patients — not the executives, not the shareholders, and not the investors who funded the infrastructure that failed them.

The economic harm extends in time as well as money. The U.S. Government Accountability Office found that stolen data can sit dormant for a year or more before criminals deploy it, and that “fraudulent use of that information may continue for years.” For the minor children named in this case — R.H. and A.J. — the economic exposure may not fully materialize until they are adults applying for credit, student loans, or jobs. These children carry a liability they did not choose and cannot escape, created by companies that treated their data as a commodity and their safety as a cost to be minimized.

The Numbers That Should Enrage You

Who Answers for This — and What You Can Do

The Corporate Roles That Held the Keys

The complaint names Specialty Networks, LLC and Prime Imaging, LLC as the responsible defendants. The leadership and board members of these entities are not identified by name in the source material. What the complaint does establish is clear lines of institutional responsibility: Specialty Networks, as the technology provider, held the data and controlled the security infrastructure. Prime Imaging, as the covered entity under HIPAA, had a legal obligation to ensure Specialty Networks complied with patient privacy laws through a formal business associate agreement and ongoing supervision. Both companies failed. Both companies profited from collecting this data. Both companies bear responsibility for what happened to it.

Regulatory Watchlist

• U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) — primary HIPAA enforcement authority; file a complaint at hhs.gov/hipaa
• Federal Trade Commission (FTC) — enforcement authority for unfair data security practices under Section 5 of the FTC Act; report at ftc.gov/complaint
• Tennessee Attorney General — state-level consumer protection and data breach enforcement
• Georgia Attorney General — jurisdiction over Prime Imaging LLC as a Georgia entity
• Consumer Financial Protection Bureau (CFPB) — if you experience fraudulent financial transactions as a result of the breach

Steps to Take Right Now If You’re Affected

• Place a free credit freeze with all three bureaus: Equifax, Experian, and TransUnion — this costs nothing and stops criminals from opening accounts in your name
• Place a 7-year extended fraud alert if you believe your identity has already been used
• Review your health insurance statements line by line for treatments or prescriptions you never received
• Request your complete medical records from providers to check for entries that do not belong to you
• File a police report if you find evidence of fraud — your credit bureaus will require it for dispute resolution

Lawsuits and regulators move slowly. Your neighbors, mutual aid networks, and local patient advocacy organizations move faster. Share this investigation. Connect affected community members with local legal aid societies and identity theft victim assistance programs. The class action fight is important — but rebuilding trust and safety in the community happens on the ground, one person at a time, long before any settlement check arrives.