A ransomware attack in January at Frederick Health Medical Group, a major healthcare provider in Maryland, has led to a data breach affecting nearly one million patients.
With almost 4,000 employees and over 25 locations, Frederick Health is one of Frederick County’s largest employers.
As the health system revealed in a late March notification to patients, the ransomware attack was detected on January 27, which prompted Frederick Health to notify law enforcement and hire a third-party forensic firm to investigate the incident’s impact.
“On January 27, 2025, we experienced a ransomware event affecting our IT systems,” the health system said. “The investigation determined that an unauthorized person gained access to our network and, on January 27, 2025, copied certain files from a file share server.”
“We are mailing letters to individuals whose information may have been involved and for whom we have sufficient contact information,” it added.
Depending on the affected individuals, the attackers stole a combination of sensitive personal information, including patient names, addresses, dates of birth, Social Security numbers, and driver’s license numbers. They also exfiltrated personal health information, such as medical record numbers, health insurance information, and/or clinical information related to patients’ care.
While Frederick Health didn’t share the number of individuals affected by this data breach, the healthcare provider reported the incident to the U.S. Department of Health and Human Services on March 28. HHS has now updated its list of reported breaches, confirming that the Frederick Health data breach impacted 934,326 patients.
While the healthcare provider tagged the incident as a ransomware attack, no ransomware operation has claimed the breach, which suggests that Frederick Health has paid the ransom demand the attackers asked for.
A Frederick Health spokesperson was not immediately available when BleepingComputer reached out for more details.
Earlier this week, Blue Shield of California disclosed a data breach after exposing protected health information of 4.7 million members to Google’s analytics and advertisement platforms.
Yale New Haven Health (YNHHS) has also warned that attackers stole the personal data of 5.5 million patients in a cyberattack earlier this month.
