SimonMed Imaging, a U.S. outpatient radiology provider, has formally disclosed that a cyberattack in January 2025 compromised the personal and medical data of approximately 1.2 million patients. The breach spanned multiple days, and forensic investigators tied the incident to a known ransomware group. SimonMed said that while its core imaging systems were not disrupted, the breach may have exposed highly sensitive patient records.
The company acknowledged the incident following an internal investigation and completion of breach assessments. SimonMed said it began notifying impacted patients and offered identity monitoring services to affected individuals. The provider affirmed that it is working with cybersecurity experts, law enforcement, and federal regulators to mitigate potential harm and understand the full scope of data exposure.
“Upon discovering we were the victim of a criminal attack, we immediately began an investigation and took steps to contain the situation.”
Attack spanned three weeks and involved theft of machine key and archive files
SimonMed’s timeline indicates that attackers gained access to its systems between January 21 and February 5, 2025. The company reported being alerted to abnormalities in its vendor environment on January 27 and confirmed unauthorized network activity the next day. By February 5, certain systems had been fully contained.
Forensic analysis linked the attack to the Medusa ransomware group, which claimed to have stolen 212 gigabytes of data. The group published proof samples allegedly containing spreadsheets of patient details, ID scans, scanned medical reports, and payment data. The attackers initially demanded a ransom payment of one million dollars, with offers to delay data publication for an additional fee.
The leaked files allegedly included names, addresses, medical report data, financial account balances, insurance information and other identifiers. SimonMed has stated that it has not found evidence to date that the exposed data has been misused for identity theft or fraud, but it cannot rule out future misuse. The company’s breach notice categorized it as a “hacking / IT incident” affecting over 1.2 million people.
To contain further damage, the healthcare provider reset passwords, enforced multifactor authentication, deployed endpoint detection and response systems, removed direct access for third-party vendors, and restricted inbound and outbound traffic to trusted connections. Law enforcement and data security teams were notified as part of the response protocol.
Medusa claims, proof leaks and removal from extortion site raise questions
Medusa posted SimonMed’s name on its extortion portal on February 7, indicating a ransom demand. That portal initially displayed proof-of-exposure data, including scanned IDs, medical billing sheets, and images purportedly from SimonMed records. After initial listing, SimonMed no longer appeared on the public portal, which experts interpret as an indication that ransom negotiations may have occurred.
Victim advocacy groups warn that even if initial use of the stolen files is not detected, the data may enter secondary markets. Scanned health documents and insurance records can be leveraged for future fraud, identity theft or medical billing schemes. SimonMed’s offer of free identity monitoring is a standard remediation measure, though it may not entirely mitigate long-term risks facing patients.
Broader healthcare sector trend underscores vulnerability of imaging providers
The SimonMed breach follows a growing pattern of attacks on radiology centers, imaging networks and outpatient providers. These entities often maintain legacy interfaces, interconnected PACS systems, data exchange workflows with hospitals and clinics, and remote access tools, creating multiple attack surfaces. Attackers who gain access to diagnostic and imaging workflows can also disrupt operational continuity.
Because imaging providers handle sensitive health records, they are lucrative targets for extortion, data theft and regulatory fines. Under HIPAA, covered entities must report breaches affecting more than 500 individuals to the U.S. Department of Health and Human Services (HHS) and notify affected patients within prescribed windows.
SimonMed’s reported revenue surpasses $500 million, and it operates some 170 centers across 11 states. Even though the clinical services reportedly remained unaffected, the reputational and regulatory consequences from such a large patient-data breach are significant.
Next Steps: Monitoring, investigations and regulatory compliance
SimonMed said it continues to investigate whether any stolen files have been posted or traded publicly and is coordinating with regulators to determine whether additional disclosure is required. Affected patients were advised to monitor personal communications, review insurance and EOB documents carefully, and keep an eye on credit activity for signs of identity theft.
Moving forward, SimonMed intends to refine its cybersecurity architecture and data handling policies. The company’s commitment includes upgrading its network segmentation, review of vendor access practices, continuous logging and monitoring, and periodic security audits.
