One of the largest U.S. medical imaging providers has confirmed that over 1.2 million patients had their data stolen during a January 2025 ransomware attack.
What happened
SimonMed Imaging, which operates more than 170 imaging centers across 10 U.S. states, has begun notifying 1,275,669 individuals affected by a January cyberattack. In a filing to the Maine Attorney General, the Scottsdale-based provider confirmed that protected health information (PHI) was compromised. The U.S. Department of Health and Human Services (HHS) currently lists the incident on its breach portal with a placeholder figure of 500 individuals, pending official update.
SimonMed said that while data theft has been confirmed, there is no evidence of misuse so far. The company is offering complimentary credit monitoring and identity theft protection services to all affected individuals.
Going deeper
SimonMed first disclosed the attack in April 2025, stating that it was alerted on January 27 by one of its vendors experiencing a security issue. A day later, suspicious activity was detected on SimonMed’s own systems. A forensic review revealed that hackers had direct access to its network from January 21 through February 5, during which patient data was exfiltrated.
The Medusa ransomware group claimed responsibility for the breach, alleging it had stolen 212 GB of data and demanded a $1 million ransom with a February 21 payment deadline. However, SimonMed is not currently listed on Medusa’s data leak site.
Exposed data varies by individual but may include names, addresses, birth dates, service dates, provider details, medical records, diagnoses, treatment information, medication details, insurance information, and driver’s license numbers.
What was said
SimonMed confirmed that it took immediate action to contain the breach and strengthen its cybersecurity posture. Measures included resetting passwords, implementing multifactor authentication, adding endpoint detection and response monitoring, and revoking all direct vendor access. The company said additional safeguards will be introduced as the investigation continues.
A spokesperson for SimonMed declined to comment on whether a ransom was paid. At least one class action lawsuit has already been filed on behalf of affected patients.
The big picture
According to Bleeping Computer, “The Medusa ransomware-as-a-service (RaaS) operation launched in 2023 and gained its infamy with attacks such as the one on the Minneapolis Public Schools (MPS). The gang also targeted Toyota Financial Services. A joint advisory by the FBI, CISA, and MS-ISAC from March 2025 warned about Medusa ransomware activity, noting that the threat group had impacted over 300 critical infrastructure organizations in the United States.”
FAQs
Who is the Medusa ransomware group?
Medusa is a known ransomware collective that targets healthcare, education, and government sectors. It operates a data leak site where it publishes stolen data if victims refuse to pay ransom demands.
Why are placeholder figures used on the HHS breach portal?
When an organization cannot immediately confirm the total number of individuals affected, it reports a minimum placeholder, typically 500, until the review of compromised files is complete.
What does SimonMed’s offer of credit monitoring cover?
Affected individuals receive free access to credit monitoring, fraud alerts, and identity restoration services to help detect and mitigate potential misuse of their information.
How do vendor-related breaches occur in healthcare?
Third-party vendors often have network or data access privileges, and if their systems are compromised, attackers can use that access to infiltrate healthcare organizations.
What legal or regulatory consequences could SimonMed face?
SimonMed may face class action lawsuits from affected patients and potential HIPAA enforcement actions from the HHS Office for Civil Rights, depending on findings from the ongoing investigation.
Farah Amod
