Major Radiology Hacks — Why Healthcare Data Governance Needs Rebooting

A pair of radiology practices have disclosed significant hacking incidents with profound implications:

SimonMed Imaging (Arizona) reported a breach affecting approximately 1.28 million patients. The alleged perpetrators are the cyber-crime group Medusa, which allegedly exfiltrated roughly 212 GB of data, including mammogram records and personally identifiable information (PII). 
HealthcareInfoSecurity

Doctors Imaging Group (Florida) disclosed that a network server was accessed in November 2024, compromising nearly 172,000 individuals. The exposed information included names, addresses, dates of birth, medical record numbers, health insurance details, Social Security numbers, and other sensitive health and financial data. 

Source

Key Insights for the Healthcare & Risk-Managed Organization

Third-party systems are high-impact attack vectors
These radiology practices serve as downstream providers in broader healthcare delivery chains (hospitals, insurers, diagnostic centres). Their compromise illustrates that vendor and specialty-provider systems often lack the same governance rigour as core hospital IT. From a risk-management standpoint, every supplier, lab or imaging centre must be treated as a material part of your attack surface.

Data breadth and depth amplify liability
The types of data exposed go beyond basic contact information. They include medical histories, images (e.g., mammograms), insurance claims, and finance/accounting details. This breadth means exposure leads not only to privacy harm, but potential identity theft, insurance fraud, credential misuse, and regulatory non-compliance. Governance frameworks must categorise data by sensitivity and apply controls accordingly.

Persistence and visibility matter
In the SimonMed case, the initial report to authorities estimated only 500 affected individuals, but further investigation revealed a much larger scope (~1.3 million). That indicates weaknesses in detection, incident management and forensic readiness. Better visibility, logging, evidence retention and escalation protocols are required.

Extortion & leak-threat models continue to dominate
The Medusa group is noted for “triple-extortion” tactics (data theft + leak threat + service disruption). 
HealthcareInfoSecurity
Organizations must assume that once data is exfiltrated, public exposure and downstream misuse are likely. Cyber-insurance, breach readiness and communication plans must reflect that scenario.

Regulatory & reputational risks are multiplying
Healthcare breaches trigger HIPAA/HITECH investigations, state-law notifications, class-action litigation, and patient trust erosion. The large scale of these incidents increases likelihood of regulatory scrutiny and elevates financial and reputational exposure. Organisations must integrate cyber incident risk into enterprise risks and board-level reporting.

InfoSight’s Role & Recommendations

Conduct supplier-ecosystem cyber-risk assessments: map all providers (imaging, labs, claims processors) and apply standardised risk rating, contract mandates and audit oversight.

Prioritise data sensitivity classification: for PII + health data + financial records, apply segregation, stronger encryption, multifactor access and continuous monitoring.

Enhance incident-readiness and forensic capability: develop playbooks for detection, scoping, classification of careless vs malicious activity, and third-party forensic vendor engagement.

Align cyber governance with business-risk and board agendas: translate technical incidents into patient harm, litigation costs, regulatory fines, brand damage and continuity risk.

Embed threat-landscape intelligence: stay updated on adversary tactics (e.g., Medusa) and adjust controls/response accordingly.

These breaches reaffirm that healthcare systems — especially speciality providers and service vendors — remain critical risk nodes. Cyber-security strategy must expand beyond perimeter defence into vendor governance, data-centric controls and operational resilience.