SimonMed Imaging, a leading U.S. provider of outpatient medical imaging services, has disclosed a major cybersecurity incident that compromised the personal and health data of approximately 1.2 million patients.
The breach, which occurred earlier this year, was linked to a ransomware attack claimed by the notorious Medusa group, highlighting ongoing vulnerabilities in the healthcare sector.
Notifications to affected individuals began on October 10, 2025, following a prolonged investigation to assess the full scope of the damage.
The incident unfolded in late January 2025 when SimonMed received an alert from one of its third-party vendors about a potential security compromise on January 27.
The company promptly initiated a system review and detected suspicious network activity the next day, confirming unauthorized access had begun on January 21 and lasted until February 5.
SimonMed Data Breach
Forensic experts determined that cybercriminals had infiltrated the network, exfiltrating files containing sensitive patient information over this two-week period.
SimonMed, which operates more than 170 imaging centers across 11 states and generates over $500 million in annual revenue, specializes in services like MRI, CT scans, ultrasounds, and mammograms.
The attackers, identified as the Medusa ransomware operation, stole around 212 gigabytes of data and demanded a $1 million ransom, posting samples on their dark web leak site to pressure the company.
While SimonMed has not confirmed paying the ransom or details on the initial entry point, possibly through the vendor, the breach underscores the risks of supply chain attacks in healthcare.
In response, SimonMed acted swiftly to contain the threat by resetting passwords, bolstering multifactor authentication, deploying endpoint detection and response tools, severing direct vendor access to internal systems, and restricting network traffic to whitelisted sources only.
The company also engaged law enforcement and privacy specialists, reporting the matter to relevant authorities, including the U.S. Department of Health and Human Services’ Office for Civil Rights.
The exposed information varied among individuals but included highly sensitive details such as full names, addresses, dates of birth, service dates, provider names, medical records and patient numbers, diagnoses, treatment histories, prescribed medications, health insurance details, and even driver’s license numbers.
This breadth of data makes victims prime targets for identity theft, medical fraud, and phishing schemes, as health records fetch high prices on underground markets.
To date, SimonMed reports no confirmed instances of data misuse for fraud or identity theft stemming from the breach, but the delay in notifications nearly nine months after detection has drawn criticism from cybersecurity experts and patient advocates.
The company initially filed a preliminary report to regulators, estimating 500 affected individuals as a placeholder, with the true figure of 1,275,669 emerging only after exhaustive file reviews.
| Data Type | Description | Potential Risk |
|---|---|---|
| Personal Identifiers | Names, addresses, DOB, driver’s licenses | Identity theft, stalking |
| Medical Records | Diagnoses, treatments, medications | Medical fraud, blackmail |
| Insurance & Financial | Health insurance info, patient numbers | Billing scams, unauthorized claims |
This table summarizes the key categories of compromised data, illustrating the multifaceted threats posed to patients’ privacy and security.
Protective Measures
The breach has already sparked at least one class-action lawsuit against SimonMed, alleging negligence in safeguarding patient data and insufficient transparency during the response.
Law firms are investigating claims on behalf of affected customers, potentially leading to broader litigation as more details emerge.
To mitigate risks, SimonMed is providing complimentary 24-month memberships to Experian IdentityWorks, offering fraud detection, credit monitoring, and identity restoration services.
Patients are urged to enroll promptly using unique activation codes included in notification letters and to remain vigilant by reviewing credit reports annually via AnnualCreditReport.com and placing fraud alerts with major bureaus like Equifax, Experian, and TransUnion.
Experts emphasize that such incidents reflect a surge in ransomware targeting healthcare, with Medusa alone claiming over 300 victims across critical sectors this year, as warned in a March 2025 FBI advisory.
SimonMed’s ongoing security enhancements, including advanced monitoring and vendor audits, aim to prevent recurrences, but the event serves as a stark reminder for the industry to prioritize robust defenses against evolving cyber threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
