Non-profit health system, MedStar Health, manages 10 hospitals around the Baltimore-Washington metro region. On October 4, 2025, it discovered a cyberattack and data breach. The forensic investigation revealed that an unauthorized third party acquired access to part of its internal systems that stored patient information from September 12, 2025 to September 16, 2025.
MedStar Health reviewed the compromised files and confirmed on November 12, 2025, that the files included patient information, such as names, birth dates, Social Security numbers, and possibly diagnoses, prescription drugs, lab data, images, medical insurance, and treatment details. According to MedStar Health, before the attack, it implemented physical, administrative, and technical safety measures to secure patient data. With regard to the security incident, it failed to identify and prevent the attack. MedStar Health explained it continually assesses its cybersecurity procedures and will keep on doing so in the future.
On December 3, 2025, MedStar Health began mailing the notification letters to the affected persons in compliance with the HIPAA Breach Notification law. As a preventative measure against identity theft and fraud, the health system provided the affected individuals with free credit monitoring and identity theft protection services. The affected people are encouraged to make use of those services and observe their explanation of benefits statements and accounts carefully.
It was not mentioned in the notification letters that the Rhysida threat group claimed to be behind the attack. Rhysida is popular for selling stolen data in case the victim does not pay the ransom. Any information not sold is then posted on its dark web data breach website. Rhysida states it stole 3.7 TB of data that includes over 1.8 million files, and around 7 million pieces of patient information. It claims that the data had been posted on its dark web data leak site.