Medical Data Breach: Florida Firm Discloses Patient Info Stolen in Nov 2024 Attack — Nearly a Year Later
Nearly a year after the incident, a Florida-based medical company has disclosed the full scale of a major data breach that occurred in November 2024. The organization, specializing in diagnostic imaging, confirmed the exposure of confidential information belonging to more than 170,000 patients. The compromised data included not only personal identifiers but also financial and medical records.
In letters sent to affected individuals, Doctors Imaging Group revealed that the attackers gained access to medical charts, insurance policies, diagnostic information, procedure codes, and reimbursement claims. The breach also exposed financial account numbers, dates of medical visits, and patient identification numbers. Alongside these, names, addresses, birth dates, and Social Security numbers were compromised — leaving attackers with both sensitive medical data and critical personal identifiers.
Although the breach took place late last year, the organization only notified the U.S. Department of Health and Human Services of its internal investigation findings on August 29, 2025. The reasons behind such a significant delay remain undisclosed. Company representatives have refrained from revealing the nature of the attack or confirming whether ransomware was involved. Likewise, no evidence has surfaced on specialized leak forums linking the incident to any known threat group.
The company maintains that it takes data protection seriously and is now reviewing its existing security practices. It stated that law enforcement and regulatory bodies were notified immediately after detecting suspicious activity, and a thorough assessment of the network’s vulnerabilities was initiated. As part of its remediation efforts, Doctors Imaging Group announced plans to deploy new security tools and revise its internal information security policies.
The nearly year-long delay in notifying victims has drawn particularly harsh criticism, as it left ample time for cybercriminals to exploit the stolen data for fraud or identity theft. Such sluggish disclosure effectively deprived victims of the chance to freeze accounts, change passwords, or alert insurance providers in a timely manner.
During this period, the stolen data may have circulated on the dark web, been sold in identity marketplaces, or used to open credit lines, file medical claims, or conduct other fraudulent activities in victims’ names. This delayed response not only undermines trust in healthcare institutions but also amplifies the long-term consequences of the breach, transforming a single incident into a persistent threat for thousands of patients.
Moreover, the company did not offer the affected individuals the standard post-breach assistance — such as credit monitoring or identity theft protection services — commonly provided in such cases across the United States. Instead, it merely reminded victims of their right to one free annual credit report and advised them to monitor their financial activity independently.
This decision stands as a rare exception for a breach of this magnitude in the U.S., where victims are typically granted extended protection and support through third-party agencies.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
