SimonMed Imaging, a major U.S. outpatient medical imaging provider with over 170 facilities across 10 states, suffered a significant data breach caused by a ransomware attack from the Medusa group, impacting more than 1.2 million individuals.

The Medusa ransomware group claimed responsibility for the attack on February 10, stating they stole over 200 GB of data and demanded a ransom of $1 million, with SimonMed added to its Tor data leak site.

The breach was discovered in late January 2025 after suspicious network activity on January 28 revealed unauthorized access from January 21 to February 5, originating from a vendor breach, prompting an immediate investigation.

The compromised data includes highly sensitive personal information such as names, addresses, birth dates, medical records, diagnoses, insurance details, social security numbers, financial information, biometric data, and authentication credentials.

While there is no current evidence of misuse, impacted individuals are advised to monitor their accounts and are offered free annual credit reports as a precaution against potential identity theft or fraud.

The breach poses serious risks including identity theft, medical identity theft, insurance fraud, privacy violations, and long-term unauthorized access to healthcare systems, threatening patient safety and trust.

The incident highlights the ongoing threat posed by ransomware groups, which frequently target healthcare organizations and threaten to leak or sell stolen data to extort victims.

Although SimonMed reports no evidence of data being used for fraud or identity theft, the potential for misuse remains high since cybercriminals often leak or sell stolen data.

SimonMed informed the Maine Attorney General about the breach in early October 2025, and initially reported to the US Department of Health and Human Services that only 500 individuals were affected, indicating the scope was initially underestimated.