SimonMed Imaging, one of America’s largest outpatient medical imaging providers, has confirmed that 1,275,669 patients had their sensitive medical data stolen during a January 2025 ransomware Cyber attack, with notification letters only beginning to arrive in October 2025—more than eight months after the breach was discovered. The Medusa ransomware group claimed responsibility for the attack, demanding $1 million in ransom and threatening to publish the stolen data on the dark web.
Attack Timeline and Detection
The Arizona-based radiology provider, which operates over 170 diagnostic imaging centers across 11 states, experienced unauthorized network access between January 21 and February 5, 2025. SimonMed was first alerted to the incident on January 27 when one of its vendors reported experiencing a security breach. The company discovered suspicious activity on its own network the following day and immediately began implementing security measures including password resets, enhanced multifactor authentication, and endpoint detection systems.
However, by the time the breach was detected, cybercriminals had already maintained network access for 16 days. On February 7, 2025, the Medusa ransomware group publicly listed SimonMed on their dark web extortion portal, posting proof-of-breach files including patient ID scans, spreadsheets with detailed patient information, payment records, account balances, medical reports, and raw imaging scans. The attackers demanded a $1 million ransom payment with an additional $10,000 charge for each day’s extension before publishing all stolen files, setting a February 21 deadline.
Scope of Exposed Data
The compromised information varied by individual but included highly sensitive personal and medical details: full names, addresses, dates of birth, medical record numbers, dates of service, provider names, medical conditions, diagnoses, treatment information, prescribed medications, health insurance details, medical imaging data, and driver’s license numbers. The Medusa group claimed to have exfiltrated 212 GB of data from SimonMed’s systems.
SimonMed’s listing has since been removed from Medusa’s leak site, which cybersecurity experts suggest typically indicates that ransom negotiations may have occurred, though the company has declined to comment on whether any payment was made.
The Growing Medusa Threat
The Medusa ransomware group has emerged as one of the most prolific cybercrime organizations targeting healthcare providers in 2025. Operating as a ransomware-as-a-service (RaaS) model since 2021, Medusa has claimed over 300 victims across critical infrastructure sectors including healthcare, education, legal, insurance, and manufacturing. In March 2025, the FBI, CISA, and MS-ISAC issued a joint cybersecurity advisory warning organizations about the escalating threat posed by Medusa.
Healthcare facilities have been particularly vulnerable to Medusa’s attacks. The group has targeted numerous medical providers including Highlands Oncology Group in August 2024, Bell Ambulance in Wisconsin, and Vital Imaging Medical Diagnostic Centers in Miami, which affected 260,000 patients. The group has also conducted high-profile attacks on NASCAR (demanding $4 million), Minneapolis Public Schools ($1 million ransom), Toyota Financial Services, and recently claimed an 834 GB data theft from Comcast Corporation.
Medusa claimed over 40 victims in the first two months of 2025 alone—nearly double the number observed during the same period in 2024. Since early 2023, the group has listed almost 400 victims on its data leak site, with ransom demands ranging from $100,000 to $15 million. The true number of victims is likely much higher, as these figures don’t account for organizations that paid ransoms to prevent data publication.
The company now offers free credit monitoring to affected individuals.
Why Medical Records Are Exceptionally Valuable
Medical data breaches pose particularly severe and long-lasting risks to victims because, unlike stolen credit cards or passwords, you cannot change your medical history or government ID scans. On the dark web, a complete medical record can sell for $250 to over $1,000, while a stolen credit card might fetch only $5 to $25. According to analysis by Kroll, healthcare records can be worth as much as $1,000 on black market platforms.
Medical records are prized by criminals because they contain comprehensive identity dossiers including Social Security numbers, dates of birth, addresses, insurance information, and complete medical histories that can be used for insurance fraud, tax fraud, prescription drug fraud, and identity theft. Medical identity theft is particularly dangerous because it often goes undetected for extended periods, and fraudulent information can become permanently embedded in clinical systems across networks of providers and insurers. Unlike financial fraud, which may be quickly flagged by banks, victims may only discover medical identity theft when they’re denied care, receive bills for procedures they never had, or face life-threatening situations due to corrupted medical records.
Delayed Notification Raises Legal Concerns
The nine-month delay between breach discovery and patient notification has drawn criticism from cybersecurity experts and patient advocates. Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals and the Department of Health and Human Services without unreasonable delay and no later than 60 days after discovering a breach affecting 500 or more individuals. While SimonMed conducted extensive forensic investigations to determine the full scope of compromised data, the extended timeframe left victims vulnerable to identity theft and fraud without their knowledge.
The company initially filed a preliminary report to regulators estimating only 500 affected individuals as a placeholder, with the true figure of 1,275,669 emerging only after exhaustive file reviews. SimonMed began mailing notification letters on October 10, 2025, and is offering complimentary credit monitoring and identity theft protection services to all affected individuals. The company states there is no confirmed evidence of data misuse for fraud or identity theft stemming from the breach thus far.
Legal and Regulatory Consequences
SimonMed now faces significant legal exposure with at least one class action lawsuit already filed on behalf of affected patients. The lawsuit allegations likely focus on failure to implement adequate cybersecurity safeguards, negligent protection of sensitive patient data, delayed breach notification, inadequate vendor risk management, and potential violations of HIPAA Security Rule requirements. The HHS Office for Civil Rights is expected to launch an investigation, which could result in penalties ranging from hundreds of thousands to millions of dollars depending on findings regarding the company’s security posture and compliance history.
Recent HIPAA enforcement actions have increasingly focused on failures to conduct proper risk analyses—a foundational Security Rule requirement that many breached organizations have been found to lack. Delays or incomplete breach notifications can lead to steep fines, reputational damage, and potential criminal charges. Even when notifications are made within the 60-day window, regulators may impose penalties if they believe the delay was longer than necessary under the circumstances.
Broader Healthcare Security Crisis
The SimonMed breach represents one of the most significant healthcare data breaches disclosed in 2025, occurring amid a historic surge in ransomware attacks. The first quarter of 2025 saw 2,289 reported ransomware incidents—more than double the 1,011 incidents during the same period in 2024, representing a 126% year-over-year increase. This surge has occurred despite high-profile law enforcement operations in 2024 that disrupted major ransomware groups like LockBit and ALPHV, allowing newer groups like Medusa to fill the void in the ransomware-as-a-service marketplace.
In the first six months of 2025 alone, 343 healthcare data breaches were reported to U.S. authorities, highlighting an escalating crisis in medical data security. The average cost of a healthcare data breach has climbed to $10.22 million, with the healthcare sector consistently ranking among the most expensive industries for data breach remediation.
SimonMed has reported the incident to law enforcement and relevant government agencies including the Office for Civil Rights, and continues to work with data security and privacy professionals in its response efforts, according to Fox News. The company has implemented enhanced security measures including restricted network traffic to whitelisted sources, improved endpoint detection and response tools, and eliminated direct vendor access to internal systems.
