SimonMed Imaging, a major U.S. outpatient radiology and medical imaging provider, suffered a ransomware attack in January–February 2025, compromising 1.2 million patients' sensitive data. The Medusa ransomware group exfiltrated over 200 GB of data, including patient IDs, financial records, medical scans, identity documents, payment details, and raw imaging files. Attackers demanded $1 million to delete the data or $10,000/day to delay publication. The breach exposed highly sensitive information prone to financial fraud, identity theft, and insurance scams, with long-term risks due to the irreversible nature of leaked medical records. SimonMed offered credit monitoring but did not confirm ransom payment. The scale and data type elevate this to a high-severity incident with severe reputational, financial, and operational consequences.
TPRM report: https://www.rankiteo.com/company/simonmed-imaging
"id": "sim3692336102425",
"linkid": "simonmed-imaging",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,200,000',
'industry': 'Outpatient Radiology and Medical Imaging',
'location': 'United States',
'name': 'SimonMed Imaging',
'size': "Large (one of the country's largest "
'providers)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party vendor compromise followed by network intrusion',
'customer_advisories': 'Complimentary credit monitoring offered to affected '
'individuals',
'data_breach': {'data_exfiltration': 'Yes (200+ GB of data stolen between '
'Jan. 21 and Feb. 5, 2025)',
'file_types_exposed': ['Identity documents',
'Payment records',
'Medical reports',
'Account balances',
'Raw imaging scans (e.g., DICOM '
'files)'],
'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': 'Yes (names, patient '
'IDs, financial '
'records, government '
'ID scans)',
'sensitivity_of_data': 'High (includes medical history, '
'government ID scans, financial '
'records)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Medical Records',
'Identity Documents',
'Payment Details',
'Medical Scans']},
'date_detected': '2025-01-01',
'description': 'A cyberattack involving the Medusa ransomware group '
'compromised sensitive patient data at SimonMed Imaging, one '
'of the largest outpatient radiology and medical imaging '
'providers in the U.S. Over 1.2 million patients were '
'affected, with data including patient IDs, financial records, '
'medical scans, identity documents, payment details, medical '
'reports, account balances, and raw imaging scans exfiltrated. '
'The attackers demanded $1 million to delete the stolen files '
'or $10,000 per day to delay publication. SimonMed offered '
'complimentary credit monitoring to affected individuals and '
'engaged cybersecurity experts for investigation.',
'impact': {'brand_reputation_impact': 'High (sensitive medical and financial '
'data exposed, potential long-term '
'trust erosion)',
'data_compromised': ['Patient IDs',
'Financial records',
'Medical scans',
'Identity documents',
'Payment details',
'Medical reports',
'Account balances',
'Raw imaging scans',
'Names'],
'identity_theft_risk': 'High (exposed PII and medical records can '
'be used for fraud, insurance scams, or '
'prescription drug abuse)',
'operational_impact': 'Disruption due to containment measures '
'(password resets, 2FA enforcement, endpoint '
'security tightening, third-party vendor '
'access revocation)',
'payment_information_risk': 'High (payment details and financial '
'records compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (Medusa group '
'claimed theft; medical '
'and financial data are '
'high-value on dark web '
'markets)',
'entry_point': 'Third-party vendor compromise',
'high_value_targets': ['Patient databases',
'Financial records',
'Medical imaging scans']},
'investigation_status': 'Ongoing (cybersecurity experts engaged)',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'root_causes': ['Third-party vendor vulnerability',
'Insufficient early detection of '
'suspicious activity (attackers '
'exfiltrated data over 15 days)']},
'ransomware': {'data_exfiltration': 'Yes (200+ GB of data)',
'ransom_demanded': '$1,000,000 (or $10,000 per day to delay '
'publication)',
'ransomware_strain': 'Medusa'},
'recommendations': ['Use data removal services to reduce exposed personal '
'information online',
'Change passwords and use a password manager (especially '
'for SimonMed-related accounts)',
'Enable two-factor authentication (2FA) on all accounts',
'Install strong antivirus software for real-time threat '
'monitoring',
'Monitor financial and medical statements for fraudulent '
'activity',
'Consider identity theft protection plans for dark web '
'monitoring and recovery assistance',
'Stay informed about phishing scams referencing the '
'breach'],
'references': [{'date_accessed': '2025',
'source': 'Fox News / CyberGuy.com',
'url': 'https://www.cyberguy.com'},
{'source': 'BleepingComputer'}],
'response': {'containment_measures': ['Password resets',
'Two-factor authentication (2FA) '
'enforcement',
'Endpoint security tightening',
'Third-party vendor access revocation'],
'incident_response_plan_activated': 'Yes',
'recovery_measures': ['Complimentary credit monitoring for '
'affected individuals',
'Cybersecurity investigation'],
'third_party_assistance': 'Cybersecurity experts engaged for '
'investigation'},
'threat_actor': 'Medusa ransomware group',
'title': 'SimonMed Imaging Data Breach',
'type': ['Data Breach', 'Ransomware Attack']}