Hackers Steal Medical and Financial Data of 1.2M Patients

SimonMed Imaging’s disclosure that 1.2 million patients’ records were stolen in a ransomware attack is another chapter in a long, predictable narrative. The breach, reportedly executed by the Medusa ransomware group, included not just personally identifiable information but raw medical imaging files, payment records, and identity documents, data that cannot be replaced, reset, or revoked.

Yet the most troubling aspect of the breach is not the data volume or even the ransom demand. It is the fact that, despite a decade of escalating attacks on healthcare infrastructure, the sector continues to underinvest in security architecture, underprepare for breach response, and underestimate the downstream risks to patients and systems alike.

A Predictable Catastrophe

SimonMed is not a marginal operator. As one of the largest outpatient imaging providers in the United States, its digital perimeter should have been treated with the same risk posture as a hospital EHR environment. Instead, the intrusion reportedly began through a third-party vendor channel, an increasingly common, but still preventable, attack vector.

The organization claims to have taken swift action after detecting anomalies in January 2025: password resets, access restrictions, and endpoint lockdowns. But by that point, attackers had already spent nearly two weeks exfiltrating over 200 gigabytes of patient data. According to BleepingComputer, the Medusa group demanded $1 million to delete the files or $10,000 per day to delay public release. SimonMed has not confirmed whether it paid the ransom.

This case follows a pattern that has become familiar across the healthcare landscape: delayed detection, rushed containment, vague public disclosures, and minimal transparency about what mitigation actions have been taken beyond offering credit monitoring services.

Structural Vulnerabilities, Not Singular Failures

Healthcare continues to be the most targeted sector for ransomware actors, according to the U.S. Department of Health and Human Services. In its 2025 Q2 threat briefing, HHS highlighted that more than 400 healthcare entities were hit by ransomware in the previous 12 months, affecting over 90 million records. The FBI has echoed similar concerns, noting that threat actors are specifically targeting mid-size outpatient and diagnostic networks, where data value is high and security maturity is low.

SimonMed’s breach is a case study in systemic underinvestment. Most healthcare organizations still operate on hybrid infrastructures with legacy components, fragmented vendor ecosystems, and limited internal cybersecurity talent. A 2024 Ponemon Institute study found that nearly 60% of healthcare delivery organizations rated their cybersecurity posture as “immature” or “developing.” Only 16% had fully implemented zero-trust architectures, and fewer than one-third conducted monthly vulnerability scans across third-party integrations.

What’s clear is that the vulnerabilities that led to this breach are not exceptional. They are endemic.

Patients Carry the Consequences

The impact of breaches like SimonMed’s goes beyond reputational harm. When identity documents, imaging files, and medical histories are leaked, they become permanent fixtures in criminal marketplaces. Unlike a stolen credit card, a patient’s health records or biometric data cannot be changed. Fraudulent use of this information can lead to false medical claims, drug diversion, and in some cases, manipulation of diagnostic records for insurance scams.

The implications are also clinical. A 2023 Health Affairs study found that patients who experience health data breaches are significantly more likely to delay care, switch providers, or withhold information during clinical encounters—introducing new risks to care continuity and patient safety.

Credit monitoring may offer some retroactive defense, but it does nothing to restore trust, correct misinformation, or prevent data reuse. In the absence of more aggressive breach prevention and transparency mandates, patients are being forced to absorb the cost of organizational neglect.

Compliance Does Not Equal Resilience

While HIPAA remains the foundational privacy law for healthcare, it has proven inadequate for modern threat landscapes. HIPAA’s security rule does not mandate real-time monitoring, zero-trust models, or incident-specific reporting timelines. As long as organizations can show they had “reasonable” protections in place, they remain within compliance—even if those protections fail in practice.

There is growing recognition of this gap at the federal level. The Cybersecurity and Infrastructure Security Agency (CISA) and HHS recently launched a joint effort to create minimum cybersecurity performance goals (CPGs) for the sector. These voluntary targets aim to push beyond check-the-box compliance and encourage implementation of endpoint detection and response (EDR), role-based access controls, multi-factor authentication, and secure configuration management.

But guidance without accountability rarely moves the needle. Until CMS and OCR begin conditioning reimbursement or accreditation on security performance benchmarks, many provider organizations will continue to treat cybersecurity as an IT expense rather than an operational imperative.

The Case for Transparency and Realignment

SimonMed’s silence regarding whether a ransom was paid is notable. While law enforcement discourages payment, some providers argue that rapid decryption and data containment justify the cost, especially when patient harm is at stake. But this argument cannot hold indefinitely. Ransomware groups thrive on opacity. When victims withhold details about breaches, payment decisions, or recovery timelines, it signals to attackers that reputational risk is limited and that extortion remains a viable tactic.

Healthcare leadership must adopt a different playbook, one that emphasizes transparency, incident disclosure, and sector-wide intelligence sharing. Programs like H-ISAC and the Health Sector Coordinating Council provide structured pathways for organizations to report, learn, and align. But participation must shift from voluntary to standard practice.

Healthcare is one of the only critical infrastructure sectors where system downtime can directly lead to mortality. The stakes are too high for cybersecurity to remain a patchwork effort.