SimonMed Imaging, a prominent provider of outpatient medical imaging services in the United States, has reported a significant cybersecurity incident that compromised the personal and health information of approximately 1.2 million patients. This breach, linked to a ransomware attack by the Medusa group, underscores the persistent vulnerabilities within the healthcare sector.
Incident Overview
The breach was first detected in late January 2025. On January 27, SimonMed received an alert from a third-party vendor regarding a potential security issue. A subsequent internal investigation revealed unauthorized access to the network, beginning on January 21 and continuing until February 5. During this period, cybercriminals infiltrated the system and exfiltrated files containing sensitive patient data.
Scope of the Breach
SimonMed operates over 170 imaging centers across 11 states, offering services such as MRI, CT scans, ultrasounds, and mammograms. The Medusa ransomware group claimed responsibility for the attack, stealing approximately 212 gigabytes of data and demanding a $1 million ransom. Samples of the stolen data were posted on their dark web leak site to pressure the company into compliance.
Data Compromised
The information exposed in the breach varies among individuals but includes:
– Full names
– Addresses
– Dates of birth
– Service dates
– Provider names
– Medical records and patient numbers
– Diagnoses
– Treatment histories
– Prescribed medications
– Health insurance details
– Driver’s license numbers
This extensive range of data increases the risk of identity theft, medical fraud, and phishing schemes, as health records are highly valued on underground markets.
Response and Mitigation Efforts
In response to the breach, SimonMed implemented several measures to contain the threat and enhance security:
– Resetting passwords
– Strengthening multifactor authentication
– Deploying endpoint detection and response tools
– Severing direct vendor access to internal systems
– Restricting network traffic to whitelisted sources only
The company also engaged law enforcement and privacy specialists, reporting the incident to relevant authorities, including the U.S. Department of Health and Human Services’ Office for Civil Rights.
Notification and Legal Actions
Notifications to affected individuals began on October 10, 2025, following a comprehensive investigation to assess the full scope of the damage. The delay of nearly nine months between detection and notification has drawn criticism from cybersecurity experts and patient advocates. SimonMed initially estimated 500 affected individuals in a preliminary report, with the true figure of 1,275,669 emerging only after exhaustive file reviews.
The breach has already led to at least one class-action lawsuit against SimonMed, alleging negligence in safeguarding patient data and insufficient transparency during the response. Law firms are investigating claims on behalf of affected customers, potentially leading to broader litigation.
Industry Context
This incident is part of a troubling trend of cyberattacks targeting the healthcare sector. In 2024, the healthcare industry faced an unprecedented wave of cyberattacks, with 276 million patient records exposed globally. Malware strains like MedStealer exploited vulnerabilities in legacy healthcare IT systems and third-party vendor networks, leading to significant data breaches.
Other notable incidents include:
– Serviceaide Cyber Attack: Exposed the data of approximately 480,000 Catholic Health patients due to an improperly secured Elasticsearch database.
– Esse Health Data Breach: Compromised the personal and health information of approximately 263,000 patients through unauthorized access to the network.
– Blue Shield Data Leak: Inadvertently shared protected health information of 4.7 million members with Google’s advertising platforms over nearly three years due to a misconfiguration of Google Analytics.
Protective Measures for Patients
Given the sensitive nature of the compromised data, affected individuals are advised to take proactive steps to protect themselves:
– Monitor Financial Accounts: Regularly review bank statements and credit reports for any unauthorized activity.
– Be Vigilant Against Phishing: Exercise caution with unsolicited communications requesting personal information.
– Utilize Identity Theft Protection Services: Consider enrolling in services that monitor for potential misuse of personal information.
Conclusion
The SimonMed data breach highlights the critical need for robust cybersecurity measures within the healthcare industry. As cyber threats continue to evolve, healthcare providers must prioritize the protection of patient data to maintain trust and comply with regulatory requirements. Patients, in turn, should remain vigilant and proactive in safeguarding their personal information.
