Massive Healthcare Breach Exposes Over 1.2 Million SimonMed Patients to Data Risk

In late January 2025, SimonMed Imaging—one of the largest outpatient medical imaging providers in the U.S.—became the latest victim in a wave of ransomware-driven healthcare breaches, confirming that more than 1.2 million patients had their data exposed following a sophisticated cyberattack attributed to the Medusa ransomware group.

The company said it detected “suspicious activity” on its network on January 28, one day after being alerted by a vendor about a separate security incident. Forensic analysis later revealed that attackers had maintained unauthorized access between January 21 and February 5, siphoning off a trove of patient data before detection.

The Scope of the Breach

The compromised data spans an alarming range—names, birth dates, medical records, diagnostic imaging, insurance information, Social Security numbers, and even biometric identifiers. In short, nearly every piece of personal and clinical information that defines a patient’s identity and health profile may have been exposed.

While SimonMed said it found “no evidence” of misuse so far, the Medusa group claimed responsibility for stealing 212 GB of data, including scans, reports, and financial records. Medusa, known for previous high-profile attacks against Toyota Financial Services and the Minneapolis Public Schools, demanded a $1 million ransom before leaking portions of the stolen data on dark web marketplaces.

“This is a costly incident,” said Damon Small, board member at Xcape, Inc. “SimonMed responded by immediately updating patient credentials and authentication methods, implementing endpoint detection and response capabilities, terminating third-party vendor access, and offering additional identity theft protection services free of charge to its clients. While the post-incident actions taken by SimonMed are appropriate, those are things that should’ve been in place from the start.”

Small warned that the potential fallout could include HIPAA fines, class-action lawsuits, and increased cyber insurance premiums—costs that may eclipse the original ransom demand.

A Chain Reaction Through Third Parties

Investigators believe the breach may have originated through a third-party vendor’s compromised tool, granting attackers an entry point into SimonMed’s internal systems. The incident underscores one of healthcare’s most persistent security blind spots: vendor access.

“While the root cause of the breach remains unknown, the available information shows that a third-party tool or service may have provided access to the network,” Small added. “A chain is only as strong as its weakest link; thoroughly vet your vendors, sandbox if appropriate, and review access controls often.”

Following the attack, SimonMed revoked all external vendor access, restricted network traffic to whitelisted endpoints, and implemented new layers of multi-factor authentication and endpoint monitoring.

AI-Powered Defenses and Adversary Emulation

Experts say the SimonMed breach is yet another reminder that traditional perimeter defenses are no longer enough in an era of polymorphic ransomware and AI-driven attacks.

“We have seen more and more healthcare organizations adopt continuous security posture testing as part of their defense strategy,” said Lydia Zhang, president and co-founder of Ridge Security Technology. “Since advanced social engineering can bypass passwords and multi-factor authentication, organizations must build resilience into their internal systems by continuously reviewing policies, detecting threats, and patching critical vulnerabilities.”

Hom Bahmanyar, global enablement officer at Ridge Security, pointed to a growing reliance on “adversary emulation” technologies—AI systems trained to simulate real-world ransomware campaigns such as Medusa or Akira. “Agentic AI attack simulation playbook libraries are equipped with the scripts to detect Medusa and Akira ransomware,” Bahmanyar explained. “They continue to get updated to detect new ransomware variants emerging in the months ahead.”

The Bigger Picture

The SimonMed breach reinforces a trend of escalating attacks on healthcare networks—a sector prized for its rich data, often secured by aging infrastructure and sprawling vendor ecosystems. In 2024 alone, ransomware incidents in U.S. healthcare surged by nearly 70%, according to federal reporting data.

For patients, the consequences are deeply personal. For the industry, they’re systemic. As Small put it bluntly: “Vendor access, endpoint visibility, and data hygiene aren’t optional anymore—they’re survival requirements.”