SimonMed Imaging, a U.S.-based medical imaging provider with 170 centers across 11 states and $500M+ annual revenue, suffered a **Medusa ransomware attack** between **January 21–February 5, 2025**. Hackers gained unauthorized network access for three weeks, exfiltrating **212 GB of sensitive data**, including **patient full names, ID scans, medical reports (MRI/CT/PET scans, X-rays, mammograms), payment details, account balances, and raw imaging files**. The **Medusa ransomware group** demanded **$1M ransom** (plus $10K/day for delays) and leaked sample data as proof, including spreadsheets with patient details and financial records. While SimonMed claimed no evidence of fraud/identity theft (as of October 10), the breach exposed **1.2M+ individuals**, risking long-term identity theft, financial fraud, and reputational damage. The company implemented containment measures (MFA, EDR, vendor access restrictions) and offered free **Experian identity theft protection** to victims. The attack was likely resolved via ransom payment, as SimonMed was later **removed from Medusa’s leak site**. The incident aligns with Medusa’s history of targeting **critical infrastructure**, per FBI/CISA warnings.
TPRM report: https://www.rankiteo.com/company/simonmed-imaging
"id": "sim1402114101425",
"linkid": "simonmed-imaging",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1.2 million individuals',
'industry': 'Healthcare (Medical Imaging & Radiology)',
'location': 'United States (11 states)',
'name': 'SimonMed Imaging',
'size': '170 medical centers, >$500M annual revenue',
'type': 'Private Company'}],
'attack_vector': 'Third-party vendor compromise leading to unauthorized '
'network access',
'customer_advisories': 'Free identity theft protection (Experian) offered',
'data_breach': {'data_exfiltration': 'Yes (212 GB of data stolen, samples '
'leaked)',
'file_types_exposed': ['ID scans',
'Spreadsheets',
'Medical reports',
'Raw scan files'],
'number_of_records_exposed': '1.2 million',
'personally_identifiable_information': 'Yes (full names, ID '
'scans, patient '
'details)',
'sensitivity_of_data': 'High (medical, financial, and '
'personally identifiable information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial data (payment '
'details, account balances)',
'Medical records (reports, raw '
'scans)']},
'date_detected': '2025-01-27',
'date_publicly_disclosed': '2025-10-10',
'description': 'U.S. medical imaging provider SimonMed Imaging experienced a '
'data breach exposing sensitive information of over 1.2 '
'million individuals. The breach involved unauthorized access '
"to the company's network between January 21 and February 5, "
'2025. The Medusa ransomware group claimed responsibility, '
'demanding a $1 million ransom and leaking sample data, '
'including ID scans, patient details, payment information, and '
'medical reports. SimonMed took containment measures, notified '
'law enforcement, and offered identity theft protection '
'services to affected individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive medical and '
'financial data',
'data_compromised': ['Full names',
'ID scans',
'Patient details',
'Payment details',
'Account balances',
'Medical reports',
'Raw scans'],
'identity_theft_risk': 'High (offered identity theft protection '
'services to 1.2M individuals)',
'operational_impact': 'Disruption due to containment measures '
'(e.g., restricted traffic, vendor access '
'removal)',
'payment_information_risk': 'Yes (payment details and account '
'balances exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (Medusa leaked '
'samples, but full dataset '
'status unclear)',
'entry_point': 'Third-party vendor compromise',
'high_value_targets': ['Patient data',
'Financial records',
'Medical imaging files']},
'investigation_status': 'Completed (as of public disclosure on October 10, '
'2025)',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['Implemented MFA',
'Added EDR monitoring',
'Restricted vendor access',
'Traffic filtering to '
'trusted connections'],
'root_causes': 'Third-party vendor security '
'incident leading to unauthorized '
'network access'},
'ransomware': {'data_exfiltration': 'Yes (212 GB)',
'ransom_demanded': '$1,000,000 (plus $10,000 for one-day '
'extension)',
'ransom_paid': "Likely (SimonMed no longer listed on Medusa's "
'leak site, suggesting negotiation/payment)',
'ransomware_strain': 'Medusa'},
'references': [{'source': 'KELA'},
{'source': 'FBI, CISA, and MS-ISAC Joint Advisory (March '
'2025)'}],
'regulatory_compliance': {'regulatory_notifications': 'Authorities notified '
'(breach notice '
'shared)'},
'response': {'communication_strategy': ['Public breach notice issued (October '
'10, 2025)',
'Free identity theft protection '
'(Experian) offered to affected '
'individuals'],
'containment_measures': ['Password resets',
'Multifactor authentication (MFA) '
'implementation',
'Endpoint Detection and Response (EDR) '
'monitoring added',
"Removed third-party vendors' direct "
'system access',
'Restricted inbound/outbound traffic to '
'trusted connections'],
'enhanced_monitoring': 'EDR monitoring added',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Data security and privacy '
'professionals engaged'},
'stakeholder_advisories': 'Breach notice issued to affected individuals',
'threat_actor': 'Medusa Ransomware Group',
'title': 'SimonMed Imaging Data Breach',
'type': ['Data Breach', 'Ransomware Attack']}