Full Report
U.S. medical imaging provider SimonMed Imaging is notifying more than 1.2 million individuals of a data breach that exposed their sensitive information. [...]
Analysis Summary
# Incident Report: SimonMed Patient Data Breach
## Executive Summary
U.S. medical imaging provider SimonMed Imaging suffered a data breach between late January and early February 2025, resulting in the compromise of sensitive data belonging to over 1.2 million patients. The breach was attributed to the Medusa ransomware group, which exfiltrated 212 GB of data. SimonMed responded by engaging in containment, enhancing security controls, and offering identity theft protection to affected individuals, suggesting a likely ransom negotiation occurred.
## Incident Details
- Discovery Date: January 27, 2025 (Alert received from a vendor)
- Incident Date: January 21, 2025 – February 5, 2025 (period of unauthorized access)
- Affected Organization: SimonMed Imaging
- Sector: Healthcare (Medical Imaging and Radiology)
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: On or around January 21, 2025
- Vector: Not explicitly stated, but likely related to the initial vendor alert received on Jan 27th.
- Details: Unknown initial compromise point, leading to three weeks of unauthorized access.
### Lateral Movement
- Details: Attackers maintained access between January 21 and February 5, 2025, collecting and staging 212 GB of data.
### Data Exfiltration/Impact
- Date/Time: Claimed by Medusa on February 7, 2025.
- Details: Exfiltration of 212 GB of patient data, including full names, ID scans, spreadsheets with patient details, payment details, account balances, medical reports, and raw medical scans (MRI/CT, etc.).
### Detection & Response
- Date/Time: January 27, 2025 (Detection)
- Details: SimonMed learned of the incident from a vendor. An investigation confirmed suspicious activity the following day (Jan 28). Response included immediate containment steps and security enhancements.
## Attack Methodology
- Initial Access: Undisclosed.
- Persistence: Involved maintaining unauthorized access for approximately three weeks (Jan 21 – Feb 5).
- Privilege Escalation: Not detailed, but access to sensitive data suggests elevated privileges were obtained.
- Defense Evasion: Not detailed by SimonMed, but successful data exfiltration indicates successful evasion for a period.
- Credential Access: Likely, given the breadth of data accessed, including payment details.
- Discovery: Attackers likely performed internal reconnaissance to locate and collect 212 GB of sensitive data.
- Lateral Movement: Implied by the access to multiple data repositories containing patient information.
- Collection: Gathering PII, financial data, medical reports, and raw scans.
- Exfiltration: Transfer of 212 GB of data, demonstrated by the Medusa leak site posting.
- Impact: Confidential medical and personal data belonging to 1.2 million patients was stolen and held for a $1 million ransom.
## Impact Assessment
- Financial: Ransom demand was $1 million (plus $10,000 extension fee). Outcome cost unknown, but services were offered to victims.
- Data Breach: Records of 1.2 million individuals impacted. Highly sensitive data including PII, financial information, medical reports, and raw diagnostic scans were stolen.
- Operational: No explicit mention of operational shutdown, but the investigation and security remediation likely caused internal disruption.
- Reputational: Public notification was required due to the scale of the breach involving highly sensitive medical data.
## Indicators of Compromise
- Network indicators: None provided in defanged format (specific communication infrastructure used by Medusa).
- File indicators: Data leaked included ID scans, spreadsheets, medical reports, and raw scans.
- Behavioral indicators: Unauthorized long-term network access (3 weeks); data staging and exfiltration exceeding 200 GB.
## Response Actions
- Containment: Immediately began investigation upon vendor alert; took steps to contain the situation.
- Eradication: Resetting passwords; adding Endpoint Detection and Response (EDR) monitoring.
- Recovery: Removing third-party vendors' direct access to systems; restricting inbound/outbound traffic to trusted connections only. Notified law enforcement and hired data security professionals. Victims offered Experian identity theft services.
## Lessons Learned
- Third-party vendor risk is significant, as the incident was initially flagged by a vendor.
- Insufficient or poorly monitored network access controls allowed unauthorized access for over three weeks.
- Immediate layering of security controls (EDR, MFA enforcement, access restriction) was necessary post-discovery.
## Recommendations
- Conduct a comprehensive review of all third-party vendor access privileges, implementing the principle of least privilege and continuously monitoring vendor activity.
- Enhance network traffic monitoring (inbound/outbound) to detect large-scale data staging or exfiltration patterns immediately.
- Ensure multi-factor authentication (MFA) enforcement across all critical systems and administrative accounts proactively.
- Review existing EDR/security tooling to ensure comprehensive coverage across the environment to prevent extensive dwell times.