SimonMed Imaging said it is notifying more than 1.2 million individuals that a January data breach exposed sensitive information, the company’s notice shows. The outpatient medical imaging and radiology services provider operates about 170 medical centers in 11 U.S. states and has annual revenue of more than $500 million.
According to the notice shared with authorities, attackers had unauthorised access to SimonMed’s network between January 21 and February 5. SimonMed said it learned of the incident on January 27 after a vendor alerted it they were experiencing a security incident, and confirmed suspicious activity on its systems the following day.
SimonMed said it immediately began an investigation and took steps to contain the intrusion, including resetting passwords, enabling multifactor authentication, adding endpoint detection and response monitoring, removing third‑party vendors’ direct access, and restricting inbound and outbound traffic. The company also notified law enforcement and engaged data security and privacy professionals, and is offering affected individuals a free identity-theft protection subscription through Experian.
The company did not specify exactly what other data was stolen beyond patient names. The notice said there was no evidence as of October 10 that accessed information had been misused for fraud or identity theft; the article noted that medical imaging firms commonly store highly sensitive records but did not detail the specific files taken in this incident.
The Medusa ransomware operation announced SimonMed on its extortion site on February 7, claiming it had stolen 212 GB of data and posting samples that included identification scans, spreadsheets with patient details, payment information, medical reports and raw scans. The threat actors reportedly demanded a $1 million ransom and $10,000 for a one‑day extension; the article cited a screenshot of the posting from KELA.
SimonMed is no longer listed on Medusa’s leak site, which the article said typically suggests a ransom was negotiated and paid. Medusa, a ransomware-as-a-service group that emerged in 2023, has been linked to other high-profile attacks and has been the subject of warnings from U.S. authorities.