Notice of Data Incident

What Happened?
On January 27, 2025, SimonMed Imaging was alerted by one of our vendors that they were experiencing a security incident.  After receiving this information, SimonMed Imaging (“SimonMed” or “we”) promptly began a review of our own systems and on the following day, January 28, 2025, discovered suspicious activity on our network (the “Incident”).  Upon discovering we were the victim of a criminal attack, we immediately began an investigation and took steps to contain the situation, including resetting passwords, enhancing multifactor authentication, implementing endpoint detection and response monitoring, removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools, limiting only whitelisted traffic into and from our network, notifying law enforcement, and engaging data security and privacy professionals to assist. 

Through our investigation, we determined that there was unauthorized access to our systems between January 21, 2025 and February 5, 2025. During this period, the investigation determined that data pertaining to individuals was affected (‘Information’). There is currently no evidence that any Information has been misused for identity theft or fraud in connection with the Incident.

What Information Was Involved?  
Based on the current findings of the Investigation, the following types of Information may have been impacted: name, address, birth date, date of service, provider name, medical record number, patient number, medical condition, diagnosis and/or treatment information, medical Information, medical imaging, medications, health insurance Information, driver’s license numbers, government-issued ID, social security number and/or tax ID, financial account number, authentication credentials, or biometric identifiers. 

Note that this describes general categories of Information identified as present within the affected systems during the Incident and includes categories that are not relevant to each individual whose Information may have been present.

What We Are Doing. 
Upon becoming aware of the Incident, we immediately implemented measures to further improve the security of our systems and practices, including implementing endpoint detection and response monitoring, removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools, and limiting only whitelisted traffic into and from our network. After determining unauthorized activity occurred on our systems, we immediately began analyzing the information involved to confirm the identities of potentially affected individuals and notify them. We worked closely with data security and privacy professionals to aid in our response and reported this Incident to relevant government agencies.

What Can Impacted Individuals Do?  
The investigation is ongoing and the full list of individuals who were affected is not yet known.  However, out of an abundance of caution, we encourage individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors.  Under U.S. law, individuals are entitled to one (1) free credit report annually from each of the three (3) major credit reporting bureaus.  Additional information and resources are outlined below. 

We take this Incident and the security of information in our care seriously.  If you have additional questions, you may contact 855-720-2147 Monday through Friday from 9:00 am to 9:00pm Eastern Time.

Steps You Can Take to Protect Your Personal Information 

To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. 

Alternatively, affected individuals can contact the three (3) major credit reporting bureaus directly at the addresses below: 

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111  

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742  

TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213 

Free Credit Report.  It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity.  You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three nationwide credit reporting agencies.    

To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.   

You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.   

Fraud Alert.  You may place a fraud alert in your file by calling one of the three nationwide credit reporting agencies above.  A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.   

Security Freeze.  You may obtain a security freeze on your credit report, free of charge, to protect your privacy and ensure that credit is not granted in your name without your knowledge.  You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft.  You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.    

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.  The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place.    

To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above.  The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.  The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement.  It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.    

Federal Trade Commission and State Attorneys General Offices.  If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state.  You may also contact these agencies for information on how to prevent or avoid identity theft.  Contact information for the Consumer Response Center of the Federal Trade Commission is 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/ or 1-877-IDTHEFT (438-4338).   

Protecting Medical Information. If you are concerned about protecting your medical information, the following practices can provide additional safeguards to protect against medical identity theft.

· Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.

· Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.

· Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.