In a recent podcast interview, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss the news that SimonMed Imaging was targeted by the Medusa ransomware group, which claimed to have stolen 200Gb of data, according to SecurityWeek. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast, sponsored by Cimcor. I'm your host, David Braue. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way.
You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott Schober, a cyber expert, CEO of Berkeley Varitronics Systems, and author of the popular books "Hacked Again" and "Senior Cyber." Scott, thanks for joining us today.
Scott: Yeah, wonderful to be with you again, David.
David: So, another day, another breach, really. This time, the target here is SimonMed Imaging. Now, this is a company a lot of the listeners would probably be aware of. You go to the doctor, they tell you to go get an X-ray, or an MRI, or an ultrasound, or whatever, and you're probably going to go to a SimonMed place to get that done. This is part of healthcare treatment for millions of people, and they got done, didn't they? Tell me what happened.
Scott: Yeah, I think this was a major breach in the sense that, first of all, looking at the scope and size of SimonMed Imaging, 170 facilities across 10 states, I think approximately 1.2 million patients affected, and it was basically a ransomware attack, Medusa Ransomware Group, which we hear more about lately, with a lot of these ransomware attacks that are very targeted and certain niches, in this case, certainly in this kind of healthcare sector there, and they've stolen over 200 gigabytes of sensitive data, and they said, hey, pay up, you know, a million dollar ransom is what's believed. And they're not 100% clear on it either, which I always find very strange, because we don't know, did SimonMed pay the ransom? They didn't publicly confirm it, I guess. At least from my research, I couldn't find it.
However, the ransomware group's data leak site suggests that a payment happened, or something was negotiated out because their name disappeared off the list of open issues or open cases that they're working with. So, I thought that was interesting. And the breach happened, and this was always the case, I think, when we chatted. It happened some time ago. It was back, I think, in early January, into February, a short period when the data initially was actually compromised. And then we find out about it as things unfold and investigations, so on and so forth, we learn a lot more. And they went from about 500 individuals initially, they reported were affected, but as they dug in deeper and deeper, they realized that 1.2 million patients were affected, so that grew by a very large factor, I think.
David: That is a very big difference. I find this strange that this happens so often. A company says, oh, yeah, it was only 100 people. Oh, wait, it was 12 million. Counted again.
Scott: And I think that's part of the fear about wanting to report what happened to kind of get it behind them, or get ahead of the story, so they're not looking like they're fumbling. And in the process of it, to me, in hindsight, it looks like they were fumbling.
They got out there too quick, got ahead of themselves, and said, hey, it's not that big a deal, it's only about 500 people impacted, it's not that big. And then, of course, we learn how big it really is, and then it kind of opens your eyes to, oh no, well, what actually was compromised? Well, what actually do you know, and where is that data, and how valuable is it, and why does it matter? And you start asking so many more questions when piecemeal comes out. But it does, I think, David, help us to appreciate that, or illustrates maybe to the point, how complex these evolving breaches are with investigations, and how forensics teams, as they're digging in initially, learn more and build on that, and suddenly we hear about it, and we understand the full scope, but it's down the line that we really… these things are revealed.
David: I wonder if this isn't an unintended consequence of the pressure that's been on, you know, particularly critical infrastructure companies, and I think healthcare is considered to be critical infrastructure, to report breaches very quickly. There's, you know, statutory timeframes for at least raising the alarm and letting people know that there's been a breach, and maybe that's just the fact that within, you know, what is it, 72 hours, or however many hours that they need to, depending on the, I guess, the industry.
They've only been able to determine in that time that 500 people were impacted, but, you know, give us 2 weeks, and suddenly we found all this other stuff as well. So maybe that's a consequence of that structure that's been put in place.
Scott: Yeah, I think that's a really good point to bring up, and I think also, looking at that sector of healthcare, I notice over the past few months, healthcare organizations are really a prime ransomware target, and in part because they're handling very highly sensitive data. They're operating under time constraints when people's lives are at play there, so what happens? There's more leverage. They're more likely to pay the ransom.
And cybercriminals know this, and they're using this to their advantage, and really honing into that healthcare sector, I think, and they're having a lot of success with it as well, despite what a lot of their claims are, that they would never target healthcare or hospitals or emergency wards because people are, you know, they never want to do anything that would harm individuals. They say that, but on the other side of the coin, we really see that they are targeting it.
And it's a very lucrative market, and they're making off like bandits, I think, in many of these cases, which bothers me, knowing that they're really honing in, and it's affecting people's lives. I always ask myself, well, if I knew my son or daughter was in the hospital, and now there's a ransom, the hospital's frozen in time, and now they couldn't be treated, I'd be at the front desk screaming as well as any other concerned parent. They'd be… what do you mean? Well pay the ransom! You gotta get this X-ray to my son or my daughter, or whatever the case may be. So, it really motivates people when they're in that niche market, and really taking advantage, I think, of the… using the emotional aspect of it as well. Like, we always hear about cybercrime. If somebody is pushing you to do something, it's probably questionable, or a sense of urgency, clicking on a phishing email. Well, they're kind of taking this to the next level, affecting human emotion, and holding everybody hostage or ransom, I guess, and it's just not right.
David: It's definitely not right, but it's working well for them, by all accounts.
Scott: Yeah, exactly.
David: Another interesting aspect of this breach of SimonMed is that it's a story we've heard many times before. Apparently, the point of ingress was through a trusted vendor that had been given access to their systems. It's very hard, because something like an imaging company, the business model requires giving people access. Doctors need to be able to get in to get those results, to be able to download the images of people's X-rays, CAT scans, or whatever. So by its nature, this business is an open, as it were, business. People need to be able to get access to this data, and you can't always vet who they are and who the partners are, and I mean, it's just part of this massive network of companies. How do even well-defended organizations get breached through their partners? You would think that there were better controls on this, given that they know how this business works.
Scott: Yeah, and that's a brilliant point you make, and a lot of times, I think, looking at companies' risks, and when I've talked to different individuals and companies, a lot of times we tend to—all of us are guilty of this—we look within our own organization only. But just as important, it's those who you work with, your partners, your vendors. If they're not secure, well, that's going to be the weakest link. That's what the vulnerability is, that's where cybercriminals are going to exploit, and that's their back door, or their passage in, the conduit in to get into your network and start causing problems. And again, this niche, I find very interesting, because we always talk about data breaches, and it's what's compromised? Oh, the name, the address, the date of birth, the social security number, and in some cases, the driver's license. And again, all of those things were compromised, including usernames and passwords. But even more important, I think, are the high-value data sets—medical records and imaging data. You add those two additional data sets, and now that's prime for identity theft, insurance fraud, and targeted scams. That combination makes that data set very lucrative. These things, to me, are very well orchestrated and planned, because they're going for those gems, or those jewels, those additional layers of data set, because they could now really get a lot more return for the hack.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R dot com slash C-I-M-T-R-A-K.
And now, back to the podcast.
David: Well, there really is, particularly in a healthcare environment, there tends, as you're saying, to be that wealth of information, because they have, you know, the healthcare providers have their own identity verification requirements, they're, they're handling your claims with insurers, they're handling interactions with doctors, so this sort of protected healthcare information, PHI, is just flowing freely within a company like this, and anybody that can tap into that can get access to some pretty significant and sensitive stuff, no question at all about that.
Medical service providers are obligated by HIPAA. There are a lot of laws about protecting this sort of thing that they're supposed to be doing. Do we have a sense of whether SimonMed had been doing this as they were supposed to? I mean, was it a breach on their side that they had perhaps commissioned, you know, given permission to trusted partners and then not followed up to make sure they were actually doing the right thing? How do you do that?
Scott: Great points. I think all these types of breaches, I always back up and ask myself the basic questions: how could this have been prevented? And again, I don't know for certainty, they didn't really disclose to that level, but one of probably about four things or more were not done properly.
Strong audits, zero trust architecture, and limiting how much access these third parties could have to the particular data sets. We always talk about network segmentation, so if a breach happens, they don't just get in there and have access to everything, but maybe only these limited channels that they could have access to. So if it wasn't properly segmented, that could cause other problems. And then, of course. Was this third party effectively using MFA, multi-factor authentication, so that all the stored data was properly encrypted, and especially that key data set that we talked about, these health records and credentials and things like that that have a lot of value, were they using that MFA? I'd be curious. And then even what I call, kind of proactive things, regular response drills for ransomware. How are they done? Immutable data backups are they stored offline, off-site? Those types of very basic things. Were those things all in place? Which helps to be giving it a preventative nature.
My guess is they were lax in some of those, probably especially multi-factor authentication. In fairness, it is hard in this case for SimonMed Imaging to validate 100% that every third party is doing each and every one of these things. It's kind of an ongoing process with education, awareness, audits, checkups, because you'll find some people just don't do it. And they say, that's not necessary. I don't need a strong password. It takes too long for this MFA, just make an exception kind of thing, at least they're justifying it in their head. And that's how hackers move in and exploit these vulnerabilities when somebody gets lax. And if you're not working at the parent company and you're a third-party vendor, that's a small mom-and-pop, you might be a little more lax, and that does happen, so those are things that we have to certainly consider.
David: Definitely a lot of potential ways this could have gone wrong. I mean, even the technical architecture we're talking about, each one of these diagnostic systems generally comes as its own sort of bespoke system, and then you're trying to connect all those, move the data between them. You know, these are things from different vendors using different protocols and data standards. It's not like it's an easily managed data infrastructure, so there's always going to be a lot of… a lot of leaks in the dam, so to speak.
But apparently, these… the hackers were in the network for about 2 weeks. Like, how could they not only get in, get the data, but just kind of hang around a bit? It's like they just decided to take a vacation inside the network of SimonMed and see what they could find. How could they not be detected all this time?
Scott: That's a concern right there. They should be immediately alerted, because there are active systems that are constantly monitoring, looking for anomalies and things that aren't normal within the network. And oftentimes, I hear that cybercriminals are getting really good at this. They get in, and they sit quietly, and they observe. And what that is, is sometimes they're seeing how things are orchestrated within the network, how data is moving from area to area, from this segment of a network to another, who approves things, who oversees things. They can then cover their tracks better.
And they could mimic things, and they could exploit more things. Suddenly, if it looks like a doctor signed off on a bunch of procedures and billing information, so on and so forth, they could use that to their advantage, and suddenly, millions of dollars could be used and come over to their side.
It's to the point where it's so scary, especially in the healthcare sector, David, that now, at least within the United States, the healthcare sector represents more than 40% of all the publicly reported data breaches. That is a tremendous shift from where it was a couple of years ago to where it is now. It's creeping up toward almost half of it. And I think the average cost I was reading about after researching this article for a healthcare data breach is over $10 million right now in the U.S. That's according to the 2025 report by IBM that they put out there. And it's really the highest in any industry, so these ransomware attacks targeting the healthcare sector, extremely effective. In other words, they're just gonna keep getting worse until more is done up front. Some of the things that we talk about, the basic, what we call cyber hygiene and third-party risk management. They're going after that sensitive patient data, and they will continue to do it until more is done.
David: Most definitely, and it's interesting you talk about the cost of these breaches. I mean, certainly there's an immediate cost in the recovery and the reputational impact, managing the interactions with the people that are affected, but there are, of course, consequences to this sort of thing as well. I noted that in Oklahoma, just a couple of weeks ago, a law firm called Fetterman & Sherwood is now investigating the data breach, and there are a couple others that have announced that they're looking into this as well. You know, the lawyers are sitting in. We can only imagine what extra costs come here. I mean, this is… It's a reminder that this isn't just, you know, data getting out there and people being upset about it. I mean, there are legal consequences for the company. There are, you know, potential regulatory issues. You know, HIPAA violations are not a good thing for a major service provider. It really, you know, starts off with just a few people breaking in and taking the data, but it really starts to snowball very quickly, doesn't it? Particularly when medical information is involved.
Scott: Yeah, it's a brilliant point, and I think the healthcare industry as a whole, healthcare providers, they have to treat cybersecurity as a matter of patient safety, not looking at it, perhaps, from a standpoint of IT management, or same old thing, and it needs to be looked at differently, because again, lives are at stake, and hospitals are, unfortunately, well known for running old legacy systems, and they're relying upon lots of third-party vendors and trying to save a buck because of the high costs of healthcare, and again, those weak links will constantly be exploited, and I think they have to just focus in on shoring up things and do a much, much better job than they are doing, because now it's going to start affecting their bottom line. And that's usually when people and organizations, unfortunately, react. When it starts affecting their bottom line.
They're gonna say, wait a minute, we're gonna go out of business here. They're not thinking about patient safety, obviously. They're thinking about numbers, but now it's gonna catch up and really bite them, I think. So, it's time for a wake-up call, especially throughout the healthcare sector in the U.S.
David: Interesting times, as always. Scott, thanks so much for your time today.
Scott: Yeah, thanks again for having me on, Dave, appreciate it.
David: Always a pleasure. I'm David Braue, and joining me today was Scott Schober, Cyber Expert, CEO of Berkeley Varitronics Systems, and author of the popular books "Hacked Again" and "Senior Cyber."
The Data Security Podcast is sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
