SimonMed Imaging has confirmed that a ransomware attack earlier this year resulted in the unauthorized access and theft of sensitive personal data belonging to 1,275,669 individuals, marking one of the largest healthcare data breaches disclosed in 2025.
The disclosure, submitted to the Maine Attorney General’s Office, officially ties the January incident to a Medusa ransomware intrusion that had been claimed by the group in February.
Founded in 2003, SimonMed Imaging operates over 150 diagnostic imaging centers across the United States and employs more than 2,000 staff. The company specializes in outpatient medical imaging services such as MRI, CT, ultrasound, and mammography, and plays a vital role in clinical diagnostics for hospitals and physicians nationwide.
The breach occurred between January 21 and February 5, 2025, with SimonMed detecting suspicious activity on January 28, just one day after a security alert was issued by one of its vendors. An internal investigation determined that hackers had gained access to the company’s systems and exfiltrated a large volume of files, some of which contained protected personal information.
SimonMed delayed notifying affected individuals until October 10, citing the need to complete a complex forensic investigation to verify which individuals were impacted and what specific data was accessed. The exposed data includes names and other personal identifiers, though the full scope of sensitive data types, such as medical history or Social Security numbers, has not been made public. While the company states there is no current evidence of misuse, the long delay between breach discovery and public notification raises concerns about downstream risks for identity theft and fraud.
The notification follows a February post by the Medusa ransomware group, which took credit for the intrusion and claimed to have stolen over 200 GB of data. The gang published data samples on its dark web leak site, listing the data for sale with a $1 million price tag. This is also the ransom demand set by the threat actors.
In March 2025, the FBI issued a cybersecurity advisory about Medusa ransomware, warning that the cybercrime group has breached 300 critical infrastructure organizations, including entities in healthcare, education, legal, insurance, technology, and manufacturing.
Other notable attacks attributed to the particular ransomware-as-a-service include the Highlands Oncology Group breach from last August, and the network compromise of the National Association for Stock Car Auto Racing (NASCAR), reported in late July.
Leave a Reply