In mid-October 2025, radiology provider SimonMed Imaging revealed that its systems were breached in a cyberattack that impacted approximately 1.27 million individuals. According to TechTarget, the attack was claimed by the Medusa ransomware group, an extortion-oriented threat actor linked to more than 300 attacks against infrastructure, education and healthcare organizations.
Data Breach Overview
On January 21, 2025, SimonMed found suspicious activity tied to a vendor’s security incident. The unauthorized access period was between January 21 and February 5, 2025.
According to TechTarget, SimonMed said it “immediately began resetting passwords, implementing endpoint detection and response monitoring, removing third-party vendor direct access to systems, improving multifactor authentication and notifying law enforcement.”
The vendor notification triggered the chain of discovery, illustrating how third-party risk continues to be a major vector. Medusa claimed responsibility and is known to have been flagged in a joint alert by Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi‑State Information Sharing and Analysis Center (MS-ISAC) in March 2025.
Why the Data Breach Matters
For a provider operating across 11 states and 170 medical centers, as SimonMed does, the scale of exposure touches not just PHI (protected health information) but also operational trust.
The incident underscores how healthcare organizations remain prime targets for ransomware and large-scale data theft. From a downtime and continuity standpoint, when access to data and systems is disrupted or at risk of being disrupted, patient care and regulatory compliance are on the line.
3 Key Takeaways
- Third-party/vendor risk is front and center
SimonMed’s exposure stemmed from a vendor incident. Organizations must maintain strong oversight of vendor access, privileges, and monitoring. - Rapid detection & response matter
SimonMed triggered password resets, endpoint detection and response and removed vendor access once the incident was identified. But the unauthorized window ran for nearly two weeks. That’s a long window in today’s threat environment. - Downtime isn’t optional
Even if data isn’t irrevocably lost, access to systems may be prevented, encrypted or held hostage. If your systems stop functioning or you shut them down defensively, you still need to keep patient care, clinical workflows and administrative operations running.
How dbtech’s Downtime Workstations Help
When a data breach hits, especially one involving ransomware or unauthorized system access, many organizations forget one crucial angle: what happens if your primary systems go offline?
At dbtech, we offer downtime workstations for $299 that can be rapidly deployed in the event your main systems are unavailable. These workstations are pre-configured, secure, and ready to handle essential clinical or administrative tasks like chart access, patient check-in/checkout, basic imaging viewing and more.
While your main systems are being restored, forensics completed, or ransomware negotiated, these workstations keep the lights on. They enhance your resilience and minimize service disruption. By incorporating downtime readiness into your incident response plan, you’re not just reacting to a breach, you’re operationalizing continuity.
Prepare for Downtime with dbtech
The SimonMed breach is a stark reminder that healthcare organizations continue to be high-value targets, and that vendor/access vectors are a persistent weak spot. But beyond the “how” and “why” of the breach, the operational impact, particularly in terms of downtime, business interruption and patient-care continuity deserves equal attention.
By integrating solutions like dbech’s downtime workstations into your incident-response and business-continuity planning, you can ensure that when the worst happens, you’re not scrambling for the basics. At just $299, it’s a relatively modest investment that can pay dividends when systems are under siege.
If you’d like to learn more about how dbtech’s downtime workstation model works, or how to integrate it into your cyber-resilience strategy, talk to our team today.