SimonMed Imaging Data Breach: Medusa Ransomware Strikes Again, 1.2 Million Patients Exposed

October 2025 — SimonMed Imaging, one of the largest outpatient medical imaging providers in the United States, has confirmed that a January 2025 ransomware attack by the Medusa group compromised the protected health information of 1,275,669 individuals, marking one of the most significant healthcare data breaches disclosed this year.

The Arizona-based radiology giant, which operates over 170 diagnostic imaging centers across 11 states and generates more than $500 million in annual revenue, revealed that attackers maintained access to their network for 16 days between January 21 and February 5, 2025.

Timeline of the Attack

The breach timeline reveals critical delays in detection and response:

• January 21, 2025: Unauthorized access begins
• January 27, 2025: SimonMed receives alert from vendor experiencing security incident
• January 28, 2025: SimonMed discovers suspicious activity on its own network
• February 5, 2025: Attackers' access ends
• February 7, 2025: Medusa ransomware lists SimonMed on dark web leak site
• October 10, 2025: Patient notifications begin—more than eight months after discovery

This extended notification delay, while not uncommon in complex forensic investigations, raises concerns about the window of vulnerability for identity theft and fraud that affected individuals faced before being informed.

What Data Was Compromised?

According to breach notifications filed with state attorneys general, the exposed information is extensive and highly sensitive:

• Full names, addresses, and dates of birth
• Social Security numbers and tax identification numbers
• Driver's license numbers and government-issued ID scans
• Medical record numbers and patient account numbers
• Dates of service and provider names
• Complete medical histories, diagnoses, and treatment information
• Medical imaging files and raw diagnostic scans
• Medication lists
• Health insurance information and claims data
• Financial account numbers and payment details
• Authentication credentials and biometric identifiers

The breadth of this data exposure creates long-term risks that extend far beyond typical financial fraud. Medical records cannot be changed like passwords, and diagnostic imaging files could be used to discriminate against individuals seeking insurance, employment, or other services.

The Medusa Ransomware Threat

The attack was attributed to Medusa ransomware, a Russian-speaking ransomware-as-a-service (RaaS) operation that first emerged in 2021 and has since evolved into one of the most prolific cybercrime groups targeting critical infrastructure.

On February 7, Medusa publicly claimed responsibility for the SimonMed attack on their dark web extortion portal, posting proof-of-breach data including:

• Patient ID scans
• Spreadsheets containing detailed patient information
• Payment details and account balances
• Medical reports
• Raw imaging scans

The group demanded a ransom of $1 million, with an additional $10,000 charge for each day's extension before publishing all stolen files. The February 21 deadline came and went, and SimonMed's listing was subsequently removed from Medusa's leak site—a typical indication that ransom negotiations may have occurred, though SimonMed has declined to comment on whether payment was made.

Medusa's Growing Healthcare Campaign

SimonMed is far from Medusa's only healthcare victim. The group has established a disturbing pattern of targeting medical providers and imaging facilities:

• Highlands Oncology Group (August 2024)
• Bell Ambulance, Wisconsin (February 2025)
• Vital Imaging Medical Diagnostic Centers, Miami (February 2025, 260,000 patients affected)

In March 2025, the FBI, CISA, and MS-ISAC issued a joint cybersecurity advisory warning that Medusa had already impacted over 300 critical infrastructure organizations across healthcare, education, legal, insurance, technology, and manufacturing sectors.

Beyond healthcare, Medusa has demonstrated its reach with high-profile attacks on organizations including NASCAR (demanding $4 million), Minneapolis Public Schools ($1 million ransom), Toyota Financial Services, and most recently, claiming an 834 GB data theft from Comcast Corporation.

Security Failures and Vendor Risk

According to SimonMed's breach notification, the initial compromise vector appears to be vendor-related. The company was first alerted by a third-party vendor experiencing its own security incident—a stark reminder that healthcare organizations' security is only as strong as their weakest supply chain link.

This vendor compromise highlights a critical vulnerability in modern healthcare operations. Third-party vendors often maintain privileged network access for remote support, data processing, or integrated systems management. When these vendors are compromised, attackers can pivot directly into their clients' networks.

SimonMed's response included immediate containment measures:

• Emergency password resets across all systems
• Implementation of enhanced multi-factor authentication
• Deployment of endpoint detection and response (EDR) monitoring
• Revocation of all direct vendor access to systems
• Engagement of third-party forensic investigators
• Notification to law enforcement agencies

However, these reactive measures came only after attackers had already exfiltrated 212 GB of sensitive patient data over a 16-day period.

The Healthcare Imaging Sector Under Siege

SimonMed's breach is part of a disturbing trend of cyberattacks specifically targeting medical imaging and radiology providers. The sector has become a prime target for several reasons:

1. High-Value Data: Medical imaging files combined with demographic, insurance, and financial information create comprehensive patient profiles worth significantly more on criminal markets than standard credit card data.

2. Operational Criticality: Imaging centers are essential to diagnostic workflows. Ransomware disruptions can halt patient care across entire hospital networks, increasing pressure to pay ransoms quickly.

3. Legacy Infrastructure: Many imaging centers rely on older PACS (Picture Archiving and Communication Systems) and RIS (Radiology Information Systems) that may lack modern security controls.

4. Distributed Operations: Multi-location operations create larger attack surfaces and make consistent security implementation challenging.

Other Major Imaging Provider Breaches in 2024-2025

SimonMed joins an alarming roster of imaging providers hit by major cyberattacks:

Radiology Associates of Richmond (RAR) — April 2024
Virginia's largest radiology practice disclosed in July 2025 that hackers accessed their systems for four days in April 2024, affecting 1,419,091 patients. The breach compromised names, dates of birth, medical details, health insurance information, and for some patients, Social Security numbers. The year-long detection delay is particularly concerning.

Doctors Imaging Group — November 2024
This Florida-based radiology practice with locations in Palatka and Gainesville reported in September 2025 that hackers had access to their network from November 5-11, 2024, affecting 171,862 patients. The compromised data included Social Security numbers, financial account numbers, medical records, and treatment information. Notably, the nearly 10-month delay between discovery and notification exemplifies the challenges in healthcare breach forensics.

Northwest Radiologists & Mount Baker Imaging — January 2025
Following a January security incident causing network disruption, these Washington-based providers completed an extensive investigation revealing that 348,118 patients were affected. The breach compromised comprehensive patient data including Social Security numbers, financial account information, medical histories, and treatment details.

Anne Arundel Dermatology — July 2024
While primarily a dermatology practice, this provider also offers imaging services and suffered a three-month network intrusion affecting over 2 million patients—demonstrating that the threat extends beyond pure-play imaging centers.

Shields Health Care Group — 2022
The largest medical imaging breach on record affected more than 2 million patients at this Massachusetts-based provider, setting a concerning precedent for the scale of healthcare imaging breaches.

Legal and Regulatory Consequences

SimonMed now faces significant legal and regulatory exposure. At least one class action lawsuit has already been filed on behalf of affected patients, with allegations likely focusing on:

• Failure to implement adequate cybersecurity safeguards
• Negligent protection of sensitive patient data
• Delayed breach notification
• Inadequate vendor risk management
• Potential violations of HIPAA Security Rule requirements

The HHS Office for Civil Rights (OCR) is likely to launch an investigation, which could result in substantial penalties if HIPAA violations are found. OCR has increasingly focused enforcement actions on failures to conduct proper risk analyses—a foundational HIPAA Security Rule requirement that many breached organizations have been found to lack.

Recent HIPAA settlements in 2025 suggest SimonMed could face penalties ranging from hundreds of thousands to millions of dollars, depending on the investigation's findings regarding their security posture and compliance history.

Implications for Patients

For the 1.27 million affected individuals, the breach creates both immediate and long-term risks:

Immediate Risks:

• Identity theft using exposed personal information
• Medical identity theft enabling fraudulent treatment or prescription access
• Financial fraud through compromised banking details
• Insurance fraud using stolen policy information

Long-Term Risks:

• Permanent medical record alterations from medical identity theft
• Discrimination based on disclosed medical conditions
• Ongoing phishing and social engineering attacks
• Potential for compromised biometric data to enable persistent unauthorized access

SimonMed is offering affected individuals complimentary credit monitoring and identity theft protection services through Experian IdentityWorks. However, these services provide limited protection against the unique threats posed by medical data exposure.

What Affected Patients Should Do

If you received a breach notification from SimonMed Imaging:

1. Activate the monitoring services provided in your notification letter immediately
2. Place a fraud alert or consider a credit freeze with the three major credit bureaus
3. Review medical benefits statements carefully for any services you didn't receive
4. Request a copy of your medical records to check for unauthorized additions
5. Monitor prescription drug monitoring databases for fraudulent prescriptions in your name
6. Use strong, unique passwords for all patient portals and healthcare accounts
7. Enable multi-factor authentication wherever available
8. Report suspicious activity to law enforcement and your healthcare providers immediately
9. Consider filing a complaint with the HHS Office for Civil Rights at hhs.gov/ocr
10. Document all breach-related expenses if considering legal action

Industry-Wide Security Failures

The SimonMed breach and the broader pattern of healthcare imaging provider compromises reveal systemic security failures across the sector:

Insufficient Vendor Risk Management: The initial compromise through a vendor highlights widespread failures to properly vet, monitor, and restrict third-party access.

Inadequate Network Segmentation: The ability to exfiltrate 212 GB of data suggests insufficient internal network controls and data loss prevention measures.

Delayed Threat Detection: A 16-day attacker dwell time indicates gaps in security monitoring and anomaly detection capabilities.

Extended Notification Timelines: The eight-month delay from discovery to notification, while partially justified by investigation complexity, leaves patients vulnerable for unacceptable periods.

Reactive Rather Than Proactive Security: The post-breach implementation of EDR, MFA enhancements, and vendor access restrictions suggests these controls were not adequately deployed beforehand.

The Path Forward

For healthcare imaging providers, the SimonMed breach should serve as a wake-up call. Essential security improvements include:

Zero Trust Architecture: Implement least-privilege access controls and assume breach when designing security controls.

Vendor Security Programs: Establish rigorous third-party risk assessment processes, continuous monitoring of vendor security posture, and contractual security requirements.

Advanced Threat Detection: Deploy behavioral analytics, threat hunting programs, and 24/7 security operations center capabilities.

Regular Penetration Testing: Conduct adversarial simulations to identify vulnerabilities before attackers do.

Incident Response Planning: Maintain tested response plans with clearly defined roles, communication protocols, and recovery procedures.

Data Encryption: Implement encryption at rest and in transit for all patient data, particularly diagnostic imaging files.

Employee Training: Conduct regular security awareness training focused on phishing, social engineering, and secure password practices.

Backup and Recovery: Maintain offline, immutable backups that enable rapid recovery without ransom payment.

Conclusion

The SimonMed Imaging breach represents more than just another healthcare data compromise—it's a stark illustration of how ransomware groups like Medusa have industrialized the targeting of critical healthcare infrastructure. With over 300 organizations already victimized and healthcare imaging providers emerging as prime targets, the sector faces an existential security crisis.

For patients whose data was exposed, the impacts will likely extend for years or even decades. Medical information doesn't expire, diagnostic images can't be changed, and Social Security numbers can't be reset like passwords.

For healthcare organizations, the message is clear: ransomware groups have identified medical imaging as a lucrative target combining high-value data, operational criticality, and often inadequate security controls. Investment in proactive cybersecurity is no longer optional—it's essential to protecting patient safety, maintaining operational viability, and avoiding catastrophic legal and financial consequences.

As Medusa and similar ransomware operations continue their healthcare campaign, the question for imaging providers is not whether they will be targeted, but whether they will be prepared when the attack comes.

Related Reading:

• Blue Cross Blue Shield of Montana Data Breach: 462,000 Members Exposed in Conduent Cyberattack — Another major healthcare breach demonstrating the cascading impact of vendor compromises

Yale New Haven Health Settles for $18 Million Following Massive 5.6 Million Patient Data Breach

Connecticut’s largest healthcare system reaches preliminary settlement in class action lawsuit after sophisticated March 2025 cyberattack Executive Summary In one of the most significant healthcare data breach settlements of 2025, Yale New Haven Health System (YNHHS) has agreed to pay $18 million to resolve class action litigation stemming from a

Breached CompanyBreached Company

Stay Informed:
Subscribe to our breach alerts to receive immediate notifications of major data compromises affecting healthcare, financial services, and technology sectors. Follow us for in-depth analysis of the evolving ransomware threat landscape and practical security guidance for organizations and individuals.

Have you been affected by a healthcare data breach? Share your experience and concerns in the comments below.

This article was updated on October 26, 2025, with the latest information on the SimonMed Imaging breach and related healthcare imaging sector attacks.