Anne Arundel County Department of Health Data Breach 2025: Ransomware Exposed Patient Names, Addresses, and Diagnoses · MD · Filed With HHS OCR
Anne Arundel County (Maryland) confirmed a January-February 2025 ransomware intrusion that copied files from the County's network, including patient records held by the Department of Health. The County filed an initial HIPAA report with HHS OCR on May 15, 2025 using a placeholder count of 500 individuals; the final figure remains pending file review. Exposed elements include full name, address, and medical diagnosis or condition.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 28, 2025
Unauthorized access to Anne Arundel County network begins (per County forensic review)
Feb 22, 2025
County identifies suspicious activity on its computer network; containment and law-enforcement engagement begin
Mar 6, 2025
County Executive launches public cyber-incident webpage and posts first update
Mar 14, 2025
County Executive Steuart Pittman issues second public update on the ongoing cyber incident
May 15, 2025
Initial HIPAA breach notification filed with HHS Office for Civil Rights using placeholder count of 500 individuals; public Notice of Data Privacy Event published
Oct 23, 2025
County refreshes cyber-incident page; final affected count still pending file review
Jan 28, 2025
Unauthorized access to Anne Arundel County network begins (per County forensic review)
Feb 22, 2025
County identifies suspicious activity on its computer network; containment and law-enforcement engagement begin
Mar 6, 2025
County Executive launches public cyber-incident webpage and posts first update
Mar 14, 2025
County Executive Steuart Pittman issues second public update on the ongoing cyber incident
May 15, 2025
Initial HIPAA breach notification filed with HHS Office for Civil Rights using placeholder count of 500 individuals; public Notice of Data Privacy Event published
Oct 23, 2025
County refreshes cyber-incident page; final affected count still pending file review
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Anne Arundel County, Maryland confirmed that an external threat actor accessed a limited subset of the County’s network between January 28 and February 22, 2025, exfiltrating files that included protected health information held by the Anne Arundel County Department of Health. The County identified suspicious activity on February 22, 2025, engaged outside cybersecurity specialists and law enforcement, and continued normal operations on backup systems within days. On May 15, 2025, the County issued a public Notice of Data Privacy Event and filed an initial HIPAA breach report with the HHS Office for Civil Rights using a placeholder count of 500 individuals, with the final figure to be updated once the file review concludes. Information potentially involved varies by individual but may include full name, address, and medical diagnosis or condition. The County has stated that no financial information appears to have been affected.
Timeline
- January 28, 2025 — Unauthorized access to the Anne Arundel County network begins, per the County’s forensic review.
- February 22, 2025 — The County identifies suspicious activity on certain systems and triggers containment. Outside cybersecurity firms and law enforcement are engaged the same day.
- March 6, 2025 — County Executive Steuart Pittman launches a public cyber-incident webpage and posts the first update describing service impacts.
- March 14, 2025 — Second County Executive update; most services reported back online using existing IT systems plus manual processes.
- May 15, 2025 — The County publishes its Notice of Data Privacy Event and files an initial HIPAA breach report with the HHS Office for Civil Rights at the placeholder 500-individual level. Notification mailings to identified individuals are stated to follow once the file review is complete.
- October 23, 2025 — The County refreshes its cyber-incident page; the final affected-individual count remains undisclosed pending completion of file review.
What was exposed
Per the County’s own Notice of Data Privacy Event and corroborating reporting in HIPAA Journal, CBS Baltimore, and The Baltimore Banner, the data elements potentially involved vary by individual and could include:
- Full name
- Address
- Medical diagnosis or condition
The County states there is no indication that financial information was affected. No Social Security numbers, driver’s license numbers, or insurance ID numbers are listed in the public notice for Department of Health patients. The scope of the County’s broader cyber incident extends beyond the Department of Health, but the Department of Health files are the population for which protected health information is confirmed to have been involved.
The threat actor has not been publicly identified, and the County has not indicated whether a ransom demand was made or paid. No leak-site posting of County data has been independently reported in the sources reviewed.
What the entity is offering
The May 15, 2025 notice does not include an offer of complimentary credit monitoring or identity-theft protection services. Instead, the County directs affected individuals to monitor account statements, credit reports, and Explanations of Benefits and provides general guidance on placing fraud alerts and security freezes with the three nationwide consumer reporting agencies. A dedicated phone line (877-274-8983) and the cyber-incident webpage are listed as the primary points of contact.
The County has said it will mail individual notification letters to identified affected persons through the address it has on file once the file review is complete.
Class-action and regulatory posture
Federal: the HHS OCR portal entry remains open, with the 500-individual figure flagged as a placeholder pending the final review. No civil money penalty or corrective-action plan has been announced.
Class action: as of this writing, no consolidated complaint has been publicly docketed in Maryland federal or state court against Anne Arundel County or its Department of Health for this incident. Srourian Law Firm has publicly announced an investigation and solicitation of potential class members. Sovereign-immunity defenses available to a Maryland county under the Local Government Tort Claims Act are likely to complicate any private class action; that is one reason private litigation against county governments often resolves more slowly than against private healthcare providers.
What to do if you may be affected
- Watch for a notification letter from Anne Arundel County Department of Health. The County will mail letters to identified individuals once its file review concludes. The letter will list the specific data elements involved for your record.
- Freeze your credit with Equifax, Experian, and TransUnion. Because the County is not offering complimentary credit monitoring, a self-initiated security freeze is the highest-leverage protective step. It is free and reversible at each bureau.
- Watch for medical identity theft. Because diagnosis information was potentially involved, review every Explanation of Benefits from your health plan. Request a copy of your claims history from your insurer if you see services you do not recognize.
- Be alert to targeted phishing. A combination of name, address, and a known medical condition can support highly convincing impersonation of the Department of Health, your provider, or your insurer. Verify any unsolicited outreach through a number you look up independently rather than one provided in an email or call.
- Call the County helpline at 877-274-8983 or visit the County’s cyber-incident page if you have questions about whether your records may have been involved.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the May 15, 2025 filing (placeholder 500-individual count).
- Anne Arundel County — Notice of Data Privacy Event — the County’s primary substitute notice (intrusion window, data elements, contact line).
- Anne Arundel County — Cyber Incident page — running list of County Executive updates from March 2025 through October 2025.
- HIPAA Journal — Anne Arundel County Department of Health Confirms February Ransomware Attack — independent trade-press confirmation of ransomware classification and the placeholder-500 OCR filing.
- CBS Baltimore — Health data potentially compromised after ransomware attack in Anne Arundel County — local broadcast confirmation of dates, services impact, and that the County had not confirmed an individual count.
- Annapolis Patch — Cyber Attack Breaches Patient Records In Anne Arundel County — local press coverage of the Department of Health breach disclosure.
- The Baltimore Banner — Anne Arundel ransomware attack compromised confidential health data, county says — regional press confirmation of intrusion window and exposed data categories.
- Srourian Law Firm — Data Breach at Anne Arundel County Department of Health — plaintiff-side investigation page; no complaint filed as of this writing.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Anne Arundel County — Notice of Data Privacy Event (May 15, 2025)
- Anne Arundel County — Cyber Incident landing page
- HIPAA Journal — Anne Arundel County Department of Health Confirms February Ransomware Attack
- CBS Baltimore — Health data potentially compromised after ransomware attack in Anne Arundel County
- Annapolis Patch — Cyber Attack Breaches Patient Records In Anne Arundel County
- The Baltimore Banner — Anne Arundel ransomware attack compromised confidential health data, county says
- Srourian Law Firm — Data Breach at Anne Arundel County Department of Health (class-action investigation)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.