Ransomware Gang Medusa Hits SimonMed Imaging in One of 2025’s Largest Healthcare Breaches

Over the weekend, SimonMed Imaging confirmed that more than 1.27 million individuals were affected in a January cyberattack now attributed to the Medusa ransomware gang—a group notorious for high-impact double-extortion campaigns. The attackers reportedly demanded a $1 million ransom, making this the second-largest ransomware-related data breach in the U.S. healthcare sector so far this year.

A Breach Rooted in Vendor Compromise

SimonMed disclosed that the breach originated through a third-party vendor, underscoring the mounting risks tied to healthcare’s sprawling ecosystem of service providers. According to the company’s statement, “On January 27, 2025, we were alerted by one of our vendors that they were experiencing a security incident... On the following day, January 28, 2025, we discovered suspicious activity on our network.”

Subsequent investigations confirmed that sensitive patient information was exfiltrated, including medical record numbers, diagnoses, treatment data, insurance details, and driver’s license numbers. While Medusa claimed responsibility in early February—boasting of stealing over 212 GB of data—SimonMed has not confirmed whether a ransom was paid or how the attackers gained access.

Medusa’s Expanding Footprint

Emerging in 2019, Medusa has evolved into one of the most active ransomware-as-a-service (RaaS) collectives, notorious for publishing stolen data on its leak site if victims refuse to pay. Comparitech’s data shows 140 confirmed Medusa attacks, compromising over 4.5 million records to date, with 26 of those incidents targeting healthcare providers.

“This attack on SimonMed Imaging becomes the second-largest data breach on a healthcare company this year,” said Rebecca Moody, Head of Data Research at Comparitech. “We’ve noted 96 attacks on healthcare providers worldwide this year, with over 8.7 million records breached. The average ransom across these attacks has been $660,000, putting Medusa’s demand well above average.”

Moody added that the breach also reflects a growing threat vector: third-party exploitation. “Healthcare providers face increased risk through the vendors they rely on. Even the most security-conscious organizations can become victims through compromised partners.”

The Perfect Storm for Healthcare Cybersecurity

Security experts say SimonMed’s breach encapsulates a growing crisis in medical cybersecurity—where the intersection of high-value data, legacy systems, and vendor sprawl creates an irresistible target for ransomware operators.

“The SimonMed breach illustrates the perfect storm we often fear in healthcare cybersecurity: a long dwell time, a wide scope of compromised data, and a ransomware group bold enough to publicize both the theft and ransom demand,” said Ensar Seker, CISO at SOCRadar. “These attacks don’t just compromise health records—they expose full digital identities, from Social Security numbers to login credentials, opening the door to identity theft and fraud.”

Seker warned that stolen authentication credentials could enable follow-on attacks, enabling intruders to linger within networks long after initial containment. “Ransomware gangs like Medusa don’t just encrypt—they extract leverage. The exfiltration and exposure of patient data amplifies the damage and urgency.”

The Broader Trend: Healthcare Under Siege

So far in 2025, the U.S. healthcare sector has endured at least 65 confirmed ransomware attacks, compromising over 7.5 million patient records, with major incidents hitting DaVita (2.7 million), Bell Ambulance (114,000), and Highlands Oncology Group (113,000).

Healthcare remains the most targeted industry by ransomware groups globally—driven by the high black-market value of medical data and the operational urgency that often compels victims to pay.

The Bottom Line

SimonMed’s breach reinforces an uncomfortable truth for healthcare executives: cyber risk now extends far beyond the hospital walls. Even when internal defenses hold, third-party exposures can unravel them overnight.

The Medusa attack also signals a broader shift in ransomware economics—toward data leverage over encryption, higher ransom expectations, and longer operational disruptions.

As Seker put it, “Weeks of unauthorized access is far too long in any sector—but in healthcare, it’s catastrophic.”