Florida X-Ray Clinic Takes a Year to Tell Patients that Hackers Stole their Medical Data

The Florida-based X-ray provider Doctors Imaging Group (DIG) has confirmed a major cyberattack that exposed sensitive personal and medical data on more than 170,000 people, nearly a year after the breach occurred.

According to a disclosure posted on the company’s website, unauthorized access occurred between Nov. 5 and Nov. 11, 2024, when attackers copied data from DIG’s internal network. The breach wasn’t fully confirmed until Aug. 29, 2025 after a forensic review identified the specific files accessed and the people affected.

The company then notified U.S. regulators, including the Department of Health & Human Services.

Data exposed

In its notification to patients, DIG said it responded swiftly to the breach, initiating an investigation, assessing its network’s security, and mailing letters to affected individuals.

According to the notice (PDF), the investigation found that the stolen files included a broad range of personal, medical, and financial data. Among the compromised fields were:

·      Full names, addresses, and dates of birth

·      Medical record and patient account numbers

·      Health insurance policy information

·      Details of diagnoses, treatments, and claims

·      Financial account numbers and types

·      Social Security Numbers

DIG said it “takes the [cyberattack] and the security of information in our care very seriously,” and pledged to review and strengthen its policies and tools to reduce the risk of future incidents.

The company did not offer free credit monitoring or identity protection services to impacted individuals — a common response among organizations after breaches.

Instead, DIG advised patients to monitor financial statements, request free credit reports annually, and consider placing fraud alerts or credit freezes with the major U.S. credit bureaus.

Critics have flagged the prolonged delay in disclosure and lack of offered protections as concerning. The breach came to light nearly a year after the intrusion. DIG has yet to specify whether the incident was tied to a known ransomware group or other threat actor.

Healthcare in the crosshairs

Large-scale data breaches are common in the U.S. healthcare sector, which is often targeted due to the value of personal health and financial records. While the number of affected people is substantial, at 171,862, it is in line with many other breaches in the industry.

In 2025 alone, hundreds of medical providers have reported ransomware attacks or data breaches, affecting millions of patients. The combination of sensitive data, legacy IT systems, and critical operations continues to leave hospitals and imaging centers in the crosshairs.

The incident underscores an urgent need for continuous monitoring and rapid breach response plans — as well as mandatory identity protection measures for affected patients.

How stolen medical data is used for fraud

Medical and personal information of this kind is highly valuable on underground markets and dark web forums, often fetching higher prices than stolen credit card details.

Here are some examples of how attackers monetize and exploit such data:

Dark web resale:
Full medical profiles — sometimes called “fullz” — can sell for $60–$250 each, compared to a few dollars for a stolen credit card. These records are often bundled and sold to fraudsters seeking comprehensive identity data for multiple victims.

Medical identity theft:
Criminals can use stolen patient data to file fraudulent insurance claims, obtain expensive medical procedures or prescription drugs under the victim’s name, or submit false reimbursement requests. Victims often don’t realize they’ve been targeted until they receive unexplained bills or insurance denials.

Financial and tax fraud:
With Social Security Numbers and banking information, cybercriminals can open new lines of credit, apply for loans, or file fake tax returns to steal refunds. This type of fraud can persist for years because medical data tends to remain static — unlike passwords or credit card numbers that can easily change.

Phishing and social engineering:
The data can also be used to craft targeted phishing campaigns, where victims receive emails or calls impersonating their healthcare providers, insurers, or even government agencies. These scams often trick victims into providing further credentials or payments.

Extortion and blackmail:
In severe cases, threat actors may try to extort victims or organizations by threatening to leak sensitive health information — a growing tactic among ransomware groups targeting the healthcare sector.

Recommendations

As a general rule, never use the same login information (especially a password) for multiple accounts. If one of those services gets breached, attackers can (and likely will) use that stolen password to hack your entire digital life. Instead, use unique, hard-to-guess passwords for each of your online accounts. Consider using a password manager to make the job easier.

Anyone affected by a data breach should consider a monitoring service. Bitdefender Digital Identity Protection alerts you if your data has been compromised or leaked online, identifies the risks you face, and provides guidance on how to protect yourself.

You may also want to read:

UK Fines 23andMe $3 Million Over 2023 Mega Breach

Oxford City Council Hit by Cyberattack. Legacy Data of Election Workers Potentially Compromised

Victoria's Secret Exposed? Retailer Takes Down Website to Address ‘Security Incident’