SimonMed Imaging, one of the largest outpatient medical imaging providers in the US, has confirmed that it fell victim to a cyberattack that potentially exposed sensitive patient information earlier this year.
The company said it was first alerted on 27 January 2025, when one of its vendors reported a security incident. A day later, SimonMed detected suspicious activity within its own network, prompting what it describes as an immediate and comprehensive response.
In a statement, the company said it “promptly began an investigation and took steps to contain the situation,” including resetting passwords, tightening multifactor authentication, enhancing endpoint monitoring, and blocking all non-whitelisted network traffic. Law enforcement and data security experts were also brought in to assist.
The investigation determined that unauthorized access happened between 21 January and 5 February this year. During that period, attackers were able to reach systems containing patient data.
A Wide Range of Identifiers
The information potentially affected varies by individual but may include a wide range of identifiers and medical details: names, addresses, birth dates, service dates, provider names, medical records, imaging results, diagnoses, treatment details, medications, and health insurance information.
For some, the exposure could extend to driver’s license or government ID numbers, Social Security or tax IDs, financial account details, authentication credentials, and biometric identifiers.
SimonMed stressed that while this data was present in the affected systems, there is currently no evidence that any of it has been misused for fraud or identity theft. It began a thorough review to identify affected individuals and is notifying patients as that process continues. Relevant government agencies have been informed.
“We take this incident and the security of the information in our care seriously,” the company said in its notice, adding that it had taken significant steps to contain and strengthen its environment and is continuing to work with cybersecurity professionals to ensure the integrity of its systems.
The Culprits
Damon Small, Board Member at Xcape, said that while the root cause of the breach is unknown, the available information shows that a third-party tool or service may have provided access to the network.
“The incident affected more than 1.2 million patients. “The Medusa group, previously known for attacks on the Minneapolis Public Schools (MPS) system and Toyota Financial Services, claimed responsibility for the 212 GB data exfiltration, which leaked patient data, scans, other medical records, and financial information.”
“SimonMed responded by immediately updating patient credentials and authentication methods, implementing endpoint detection and response capabilities, terminating third-party vendor access, and offering additional identity theft protection services free of charge to its clients,” Small added.
“While the post-incident actions taken by SimonMed are appropriate, those are things that should’ve been in place from the start. This is a costly incident, especially when you consider potential HIPAA fines, ID Theft protection for 1.2 million patients, lawsuits, and increased cyber insurance premiums.”
Guidance For Patients
While the investigation is ongoing, SimonMed has advised patients to be vigilant against potential fraud. The company recommends that individuals regularly review their financial and health statements and monitor their credit reports for unauthorized activity.
Under US law, consumers are entitled to one free credit report per year from each of the three major credit bureaus (Equifax, Experian, and TransUnion) available through AnnualCreditReport.com or by calling 1-877-322-8228.
Patients who suspect suspicious activity can also consider placing a fraud alert or a security freeze on their credit files. A fraud alert requires creditors to verify identity before opening new accounts, while a freeze blocks access to a credit report without explicit consent. Both services are free.
For additional protection, the company suggests that patients:
- Review their health insurance “explanation of benefits” statements carefully.
- Verify any unfamiliar medical claims or charges with their healthcare providers.
- Request a year-to-date summary of all services paid by their insurer to check for inconsistencies.
Build Resilience
Lydia Zhang, President & Co-Founder of Ridge Security Technology, comments: “We have seen more and more healthcare organizations adopt continuous security posture testing as part of their defense strategy. Since advanced social engineering can bypass passwords and multi-factor authentication, organizations must build resilience into their internal systems by continuously reviewing policies, detecting threats, and patching critical vulnerabilities.”
Hom Bahmanyar, Ridge Security Technology’s Global Enablement Officer, adds that adversary emulation is an important strategy for defending against the ongoing emergence of ransomware variants such as Medusa and Akira. “ AI attack simulation playbook libraries are equipped with the scripts to detect Medusa and Akira ransomware and it continues to get updated to detect new ransomware variants emerging in months ahead.”
Bahmanyar says this incident highlights the need for robust vendor management policies and strict control of the resources that those tools are allowed to access. “A chain is only as strong as its weakest link; thoroughly vet your vendors, sandbox if appropriate, and review access controls often.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.