Active breach tracker MD Disclosed May 15, 2025

Anne Arundel County Department of Health Data Breach 2025: Ransomware Exposed Patient Names, Addresses, and Diagnoses · MD · Filed With HHS OCR

Anne Arundel County (Maryland) confirmed a January-February 2025 ransomware intrusion that copied files from the County's network, including patient records held by the Department of Health. The County filed an initial HIPAA report with HHS OCR on May 15, 2025 using a placeholder count of 500 individuals; the final figure remains pending file review. Exposed elements include full name, address, and medical diagnosis or condition.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 28, 2025

Unauthorized access to Anne Arundel County network begins (per County forensic review)

Feb 22, 2025

County identifies suspicious activity on its computer network; containment and law-enforcement engagement begin

Mar 6, 2025

County Executive launches public cyber-incident webpage and posts first update

Mar 14, 2025

County Executive Steuart Pittman issues second public update on the ongoing cyber incident

May 15, 2025

Initial HIPAA breach notification filed with HHS Office for Civil Rights using placeholder count of 500 individuals; public Notice of Data Privacy Event published

Oct 23, 2025

County refreshes cyber-incident page; final affected count still pending file review

Data exposed

02

Health records

Don't expire and can't be reissued

Medical diagnosis or condition

03

Contact & insurance

Phishing + targeted scams

Full name Address
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Anne Arundel County, Maryland confirmed that an external threat actor accessed a limited subset of the County’s network between January 28 and February 22, 2025, exfiltrating files that included protected health information held by the Anne Arundel County Department of Health. The County identified suspicious activity on February 22, 2025, engaged outside cybersecurity specialists and law enforcement, and continued normal operations on backup systems within days. On May 15, 2025, the County issued a public Notice of Data Privacy Event and filed an initial HIPAA breach report with the HHS Office for Civil Rights using a placeholder count of 500 individuals, with the final figure to be updated once the file review concludes. Information potentially involved varies by individual but may include full name, address, and medical diagnosis or condition. The County has stated that no financial information appears to have been affected.

Timeline

  • January 28, 2025 — Unauthorized access to the Anne Arundel County network begins, per the County’s forensic review.
  • February 22, 2025 — The County identifies suspicious activity on certain systems and triggers containment. Outside cybersecurity firms and law enforcement are engaged the same day.
  • March 6, 2025 — County Executive Steuart Pittman launches a public cyber-incident webpage and posts the first update describing service impacts.
  • March 14, 2025 — Second County Executive update; most services reported back online using existing IT systems plus manual processes.
  • May 15, 2025 — The County publishes its Notice of Data Privacy Event and files an initial HIPAA breach report with the HHS Office for Civil Rights at the placeholder 500-individual level. Notification mailings to identified individuals are stated to follow once the file review is complete.
  • October 23, 2025 — The County refreshes its cyber-incident page; the final affected-individual count remains undisclosed pending completion of file review.

What was exposed

Per the County’s own Notice of Data Privacy Event and corroborating reporting in HIPAA Journal, CBS Baltimore, and The Baltimore Banner, the data elements potentially involved vary by individual and could include:

  • Full name
  • Address
  • Medical diagnosis or condition

The County states there is no indication that financial information was affected. No Social Security numbers, driver’s license numbers, or insurance ID numbers are listed in the public notice for Department of Health patients. The scope of the County’s broader cyber incident extends beyond the Department of Health, but the Department of Health files are the population for which protected health information is confirmed to have been involved.

The threat actor has not been publicly identified, and the County has not indicated whether a ransom demand was made or paid. No leak-site posting of County data has been independently reported in the sources reviewed.

What the entity is offering

The May 15, 2025 notice does not include an offer of complimentary credit monitoring or identity-theft protection services. Instead, the County directs affected individuals to monitor account statements, credit reports, and Explanations of Benefits and provides general guidance on placing fraud alerts and security freezes with the three nationwide consumer reporting agencies. A dedicated phone line (877-274-8983) and the cyber-incident webpage are listed as the primary points of contact.

The County has said it will mail individual notification letters to identified affected persons through the address it has on file once the file review is complete.

Class-action and regulatory posture

Federal: the HHS OCR portal entry remains open, with the 500-individual figure flagged as a placeholder pending the final review. No civil money penalty or corrective-action plan has been announced.

Class action: as of this writing, no consolidated complaint has been publicly docketed in Maryland federal or state court against Anne Arundel County or its Department of Health for this incident. Srourian Law Firm has publicly announced an investigation and solicitation of potential class members. Sovereign-immunity defenses available to a Maryland county under the Local Government Tort Claims Act are likely to complicate any private class action; that is one reason private litigation against county governments often resolves more slowly than against private healthcare providers.

What to do if you may be affected

  • Watch for a notification letter from Anne Arundel County Department of Health. The County will mail letters to identified individuals once its file review concludes. The letter will list the specific data elements involved for your record.
  • Freeze your credit with Equifax, Experian, and TransUnion. Because the County is not offering complimentary credit monitoring, a self-initiated security freeze is the highest-leverage protective step. It is free and reversible at each bureau.
  • Watch for medical identity theft. Because diagnosis information was potentially involved, review every Explanation of Benefits from your health plan. Request a copy of your claims history from your insurer if you see services you do not recognize.
  • Be alert to targeted phishing. A combination of name, address, and a known medical condition can support highly convincing impersonation of the Department of Health, your provider, or your insurer. Verify any unsolicited outreach through a number you look up independently rather than one provided in an email or call.
  • Call the County helpline at 877-274-8983 or visit the County’s cyber-incident page if you have questions about whether your records may have been involved.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.