U.S.-based medical imaging provider SimonMed Imaging has disclosed a cybersecurity incident that compromised the personal data of more than 1.2 million patients earlier this year. The company, which operates nearly 170 diagnostic centers across 11 states, specializes in radiology and imaging services such as MRI, CT scans, X-rays, ultrasounds, and mammography.
Details of the breach
According to information shared with regulators, unauthorized individuals gained access to SimonMed’s internal systems between January 21 and February 5, 2025. The breach came to light on January 27, when one of SimonMed’s third-party vendors reported a security incident that also affected the company. An internal investigation confirmed suspicious network activity the following day.
SimonMed stated that once the attack was detected, the organization acted swiftly to contain the intrusion. Measures included resetting employee passwords, activating multifactor authentication, adding endpoint detection and response (EDR) tools, cutting off third-party vendors’ direct system access, and restricting external network connections to only verified sources. Law enforcement authorities were notified, and cybersecurity specialists were brought in to assist in the investigation and recovery process.
Data possibly exposed
While SimonMed has not disclosed the full scope of data accessed by the attackers, the company confirmed that patients’ full names were among the exposed information. Given the type of data typically stored in radiology systems, the breach may also involve sensitive records such as identification details, medical reports, and financial information.
As of October 10, SimonMed reported finding no evidence that the compromised data has been used for fraud or identity theft. Affected individuals have been offered free identity theft protection services through Experian as a precautionary step.
Ransomware group claims responsibility
Shortly after the breach, the Medusa ransomware group claimed responsibility, listing SimonMed on its leak site on February 7. The group alleged that it had stolen 212 gigabytes of data and released a small sample online as proof. The leaked files reportedly contained ID scans, patient information spreadsheets, billing details, and diagnostic reports.
Medusa demanded a ransom of $1 million, along with an additional $10,000 fee for each day the company delayed payment before full data disclosure. SimonMed’s name has since been removed from the group’s website, which often suggests that negotiations may have taken place. However, the company has not confirmed whether any ransom payment was made.
Growing threat to healthcare organizations
The Medusa ransomware operation, which surfaced in 2023, has been linked to several high-profile attacks on critical infrastructure, including the Minneapolis Public Schools and Toyota Financial Services. In March 2025, the FBI, CISA, and MS-ISAC jointly warned healthcare and education organizations about Medusa’s ongoing targeting campaigns.
Cybersecurity experts emphasize that healthcare institutions remain vulnerable due to the volume of sensitive data they handle. Experts recommend strengthening authentication protocols, monitoring system activity, and maintaining up-to-date security measures to minimize the risk of future incidents.
