Active breach tracker Columbia, Maryland Disclosed December 5, 2025

Columbia Medical Practice Data Breach 2025 (Qilin Ransomware): 94,131 Affected in Howard County, MD. What To Do.

Columbia Medical Practice, a multi-specialty physician group in Columbia, Maryland, disclosed a November 2025 Qilin ransomware attack that exposed names, Social Security numbers, and protected health information. The breach was filed with HHS OCR on December 5, 2025 for 94,131 affected individuals. Here is what was exposed, what the practice is offering, and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 5, 2025

Unknown cyber actor accesses network; ransomware deployed; files exfiltrated

Nov 5, 2025

Suspicious activity detected; network access discovered the same day

Nov 24, 2025

Qilin ransomware group claims responsibility on dark-web leak site

Dec 5, 2025

Filed with HHS Office for Civil Rights (94,131 affected; Hacking/IT Incident, Network Server)

Jan 22, 2026

Plaintiff firm Strauss Borrelli PLLC announces investigation

Mar 31, 2026

Forensic data review of affected files completed

Apr 24, 2026

Individual notification letters mailed; AG filings submitted to Maine and 12+ other state attorneys general

Apr 28, 2026

Federman & Sherwood announces investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number Other government identifiers

02

Health records

Don't expire and can't be reissued

Treatment or condition information Diagnosis and diagnosis code Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Financial account information Health insurance subscriber / identification number Patient account number Location of health services Dates of service

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating) Federman & Sherwood (publicly investigating) Shamis & Gentile P.A. (publicly investigating) Dapeer Law P.A. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Columbia Medical Practice is a multi-specialty physician group in Columbia, Maryland (Howard County), founded in 2004, providing adult medicine, pediatrics, rheumatology, and dietitian services from a single campus. The practice operates under a Patient-Centered Medical Home (PCMH) model and serves patients from newborns through mature adults. On November 5, 2025, an unknown threat actor accessed a portion of the practice’s network, deployed ransomware to encrypt files, and exfiltrated patient data before encryption ran. The practice filed with the HHS Office for Civil Rights on December 5, 2025, reporting 94,131 affected individuals in a Hacking/IT Incident at a Network Server. The Qilin ransomware-as-a-service group claimed responsibility on its dark-web leak site on November 24, 2025.

The HIPAA Journal reported the incident, noting that the electronic medical record system itself was not accessed; exposure was limited to files on the affected network segment. BlackFog’s January 2026 ransomware state report listed the attack as one of 27 healthcare incidents that month, during which Qilin led all claimed groups with eight incidents.

Timeline

  • November 5, 2025. An unauthorized actor accesses a portion of Columbia Medical Practice’s network, installs ransomware to encrypt files, and copies certain files off the network. The same day, the practice detects the activity and begins incident response. The electronic medical record system itself was not accessed; exposure was limited to files on the affected portion of the network.
  • November 24, 2025. The Qilin ransomware-as-a-service group claims responsibility on its dark-web leak site, posting Columbia Medical Practice as a victim.
  • December 5, 2025. Columbia Medical Practice files with HHS OCR: 94,131 affected, Hacking/IT Incident, Network Server.
  • January 22, 2026. Plaintiff firm Strauss Borrelli PLLC publicly announces an investigation into potential class claims.
  • On or about March 31, 2026. The forensic review of affected files concludes, identifying which individuals and data elements were involved.
  • April 24, 2026. Individual notification letters are mailed; notices are simultaneously filed with attorneys general in Maine (six Maine residents affected) and a broad set of additional states whose residents received letters, including Massachusetts, California, New Hampshire, Vermont, Texas, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, and Washington (per multi-state AG tracker data).
  • April 28, 2026. Federman & Sherwood announces its own class-action investigation.

What was exposed

The compromised files contain a broad mix of identity, financial, and clinical data. Per the practice’s notice and follow-on regulatory filings, exposed elements include:

  • Full name, address, phone number, date of birth
  • Social Security number
  • Driver’s license number, passport number, other government identifiers
  • Financial account information (account numbers, without security codes)
  • Health insurance subscriber and identification number
  • Patient account number
  • Location of health services and dates of service
  • Treatment or condition information, diagnosis, and diagnosis code
  • Prescription information

Not every affected individual had every element exposed. The notification letter sent to each person lists the specific data elements involved for that person.

What the entity is offering

  • Twelve months of complimentary credit monitoring and identity restoration services through TransUnion for affected individuals.
  • A dedicated toll-free response line: 1-833-974-3375, Monday through Friday, 8 a.m. to 8 p.m. Eastern.
  • Guidance on placing fraud alerts and credit freezes, included with the notification letter.

Class-action posture

At least four plaintiff firms have publicly announced investigations and are soliciting affected individuals:

  • Strauss Borrelli PLLC (announced January 22, 2026)
  • Federman & Sherwood (announced April 28, 2026)
  • Shamis & Gentile P.A. (investigating)
  • Dapeer Law P.A. (investigating)

No consolidated class complaint has been confirmed in federal court (D. Md.) as of this writing. Public filings, if and when docketed, will be added here.

What to do

  1. Place free credit freezes at Equifax, Experian, and TransUnion. With SSN, driver’s license, and passport numbers exposed together, freezing is the highest-leverage step.
  2. Enroll in the TransUnion monitoring offered in your notification letter. It is free and the enrollment code is in the letter.
  3. File IRS Form 14039 (Identity Theft Affidavit) to obtain an IP PIN and block fraudulent tax filings using your SSN.
  4. Replace exposed driver’s license or passport numbers through the Maryland MVA and the U.S. Department of State if the letter confirms either was involved.
  5. Watch for highly targeted phishing. Diagnosis and prescription data lets scammers craft uniquely convincing outreach. Be wary of unsolicited calls or emails that reference your specific conditions or medications.
  6. Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the diagnosis and prescription data exposed in this breach is not continuously re-shared by downstream entities.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.