Florida-based Doctors Imaging Group has admitted that the sensitive medical and financial data of 171,862 patients was stolen during the course of a November 2024 cyberattack.

It said in a letter sent to those affected that their admission dates, financial account numbers and type, patient account numbers, medical record numbers, health insurance details, and medical treatment and claim information was stolen by cybercriminals.

The usual personally identifiable information (PII), such as names, addresses, and dates of birth, was lifted too, as were Social Security numbers.

The provider of medical scanning services such as MRI and X-rays machines is only now getting around to telling people, as it completed its investigation into the incident on August 29, it told the Department of Health and Human Services in a recent filing.

Doctors Imaging Group did not specify the nature of the attack, although The Register couldn’t find any reports since the attack took place to suggest it was claimed by any ransomware group.

The provider insisted that it takes information security seriously, and is committed to improving in this regard.

“We take the [cyberattack] and the security of information in our care very seriously,” it said in a letter [PDF] to those affected. “We moved quickly to respond and investigate the suspicious activity, assess the security of our network, and notify potentially impacted individuals.

Senator blasts Microsoft for ‘dangerous, insecure software’ that helped pwn US hospitals

READ MORE

“We notified federal law enforcement and relevant regulatory authorities. We mailed letters to individuals where address information is available as information became available. As part of our ongoing commitment to information security, we are currently reviewing our policies and procedures, as well as assessing new cybersecurity tools, to reduce the risk of a similar incident from occurring in the future.”

The medical company advised victims to scour their financial statements for any signs of fraud or identity theft and report any suspicious activity to the relevant authorities.

In something of a rarity for US data breaches, Doctors Imaging Group did not offer victims complimentary identity theft or like services from any of the three big credit agencies.

Instead, the org advised victims to make use of the one free credit report to which US citizens are entitled per year, and to place an initial or extended fraud alert on their file at no extra cost. ®