Over the weekend, SimonMed Imaging confirmed 1,275,669 people had been affected in its January 2025 data breach, which was claimed by ransomware gang Medusa with a $1 million ransom demand.
This becomes the year’s second-largest data breach via ransomware in the healthcare sector and the sixth-largest across all sectors.
In its notification, SimonMed states that: “On January 27, 2025, we were alerted by one of our vendors that they were experiencing a security incident. After receiving this information, we promptly began a review of our own systems and on the following day, January 28, 2025, we discovered suspicious activity on our network.”
Following investigations, it found that information had been obtained by the hackers. Data affected includes names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical conditions, diagnosis and/or treatment information, medications, health insurance information, or driver’s license numbers.
On February 7, 2025, Medusa came forward to claim the attack, issuing SimonMed with a $1 million ransom for the 212.616 GB of data it had allegedly stolen.
SimonMed hasn’t confirmed Medusa’s claims, whether or not a ransom was demanded and/or paid, or how hackers infiltrated its systems. Comparitech has contacted the company for more information and will update this article if we receive a response.
Who is Medusa?
To date, we’ve tracked 140 confirmed attacks via Medusa. These attacks have seen the breach of over 4.5 million records and an average ransom of nearly $650,000.
26 of these confirmed attacks have been on healthcare companies and, while only a fraction of its total number of confirmed attacks, nearly 3.5 million records have been impacted across these attcks on the healthcare sector. The average ransom on the healthcare sector is lower than average at $427,000.
So far this year, eight of Medusa’s confirmed attacks attacks have been on healthcare organizations. This is the largest by far (based on records affected), with other significant breaches reported by Bell Ambulance (114,000 affected in its February 2025 attack) and Highlands Oncology Group PA (113,575 affected in its January 2025 attack).
Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data. Throughout 2025, we’ve noted and 25 confirmed and a further 103 unconfirmed attacks.
Ransomware attacks on US healthcare companies
2025 has seen 65 confirmed attacks on US healthcare providers, with over 7.5 million records breached acrossed these attacks.
As we’ve already noted, this attack on SimonMed is the second largest based on records affected with the largest being the March 2025 attack on DaVita in which nearly 2.7 million people had their data breached. This attack was claimed by Interlock.
Other recently confirmed attacks include:
- Co̦s County Family Health Services Рtargeted in July 2025 by Run Some Wares with 40,085 impacted in the breach
- Pittsburgh Gastroenterology Associates –Â targeted in August 2025 by Sinobi. People are being notified of a breach but it’s unclear how many have been impacted
- Goshen Medical Center – targeted in February 2025 by BianLian with 456,385 people impacted in the breach
We are also monitoring 144 unconfirmed attacks on this sector from this year.
About SimonMed Imaging
With around 170 locations across 10 states, SimonMed Imaging is one of the largest outpatient medical imaging providers and radiology practices in the US. Its headquarters are in Scottsdale, Arizona.
