1.2 million patients affected by data breach of imaging services provider

SimonMed Imaging, a provider of outpatient imaging services, is the latest healthcare organization to make headlines with a large-scale data breach. More than 1.2 million individuals have had their information exposed in the event, which occurred between January 21 and February 5 of 2025. 

The Medusa ransomware ring has claimed responsibility for the breach, according to industry sources, which occurred just weeks before the FBI, CISA, and MS-ISAC released a cybersecurity advisory notice warning multiple industries of the group’s threat to their digital infrastructures. 

What happened?

SimonMed Imaging’s official notification to affected individuals states that on January 27, 2025, the organization was alerted to a potential security threat by one of its vendors. The breach was discovered the following day, and SimonMed took swift action to mitigate the situation.  

“We immediately began an investigation and took steps to contain the situation, including resetting passwords, enhancing multifactor authentication, implementing endpoint detection and response monitoring, removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools, limiting only whitelisted traffic into and from our network, notifying law enforcement, and engaging data security and privacy professionals to assist,” the breach notice says. 

However, the bad actors were able to retain access to sensitive data until February 5. 

The company says that the hackers were able to access patient names, but has not disclosed if other information was also compromised. According to BleepingComputer.com, the Medusa hackers who claimed responsibility for the event published a sample of information that included ID scans, spreadsheets with patient details, financial information, medical reports, and raw scans, which indicates that affected individuals could be facing a much more serious breach of their privacy than SimonMed has publicly disclosed so far. 

Who is Medusa?

Medusa is a ransomware-as-a-service (RaaS) variant that was first identified in 2021, the joint cybersecurity notice explains. As of February 2025, affiliates of the Medusa crime ring have impacted more than 300 victims from a variety of industries, including health care, education, insurance, technology, and manufacturing.  

Originally, Medusa was a “closed” ransomware variety, which means that its activities were controlled by a limited group of bad actors. But it has since progressed to using an affiliate model, the cybersecurity agencies said, wherein a wider range of cybercriminals can leverage the technology to target victims. Both the core group of criminals and their affiliates use a double extortion model, where they encrypt files and threaten to publicly release acquired data if the victim doesn’t pay the asked-for ransom. 

In this case, Medusa asked for $1 million in ransom in a February 7 post on its blog. If not paid, the group threatened to release the data it allegedly required.   

What happens now?

For SimonMed Imaging patients affected by the incident, credit monitoring is available. The organization stresses in its breach notification that it is not aware of any evidence that the compromised information has been used for identity theft or fraud at present. 

For SimonMed itself, a stronger cybersecurity defense plan is being put into place as mentioned above. 

For the rest of the healthcare industry, continued vigilance against security vulnerabilities is a must. Medusa is only one of countless ransomware variants that could find a way into critical infrastructure – and criminals are only getting smarter and more sophisticated as artificial intelligence enables a new generation of weapons aimed at data-rich targets. 

Organizations should be continually engaged in assessing and strengthening their defenses, and should stay abreast of the latest advisories from government agencies, as well as the most up-to-date resources designed to support healthcare providers and third-party partners in their never-ending quest to outsmart bad actors.  

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].