Columbia Medical Practice Data Breach 2025 (Qilin Ransomware): 94,131 Affected in Howard County, MD. What To Do.
Columbia Medical Practice, a multi-specialty physician group in Columbia, Maryland, disclosed a November 2025 Qilin ransomware attack that exposed names, Social Security numbers, and protected health information. The breach was filed with HHS OCR on December 5, 2025 for 94,131 affected individuals. Here is what was exposed, what the practice is offering, and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 5, 2025
Unknown cyber actor accesses network; ransomware deployed; files exfiltrated
Nov 5, 2025
Suspicious activity detected; network access discovered the same day
Nov 24, 2025
Qilin ransomware group claims responsibility on dark-web leak site
Dec 5, 2025
Filed with HHS Office for Civil Rights (94,131 affected; Hacking/IT Incident, Network Server)
Jan 22, 2026
Plaintiff firm Strauss Borrelli PLLC announces investigation
Mar 31, 2026
Forensic data review of affected files completed
Apr 24, 2026
Individual notification letters mailed; AG filings submitted to Maine and 12+ other state attorneys general
Apr 28, 2026
Federman & Sherwood announces investigation
Nov 5, 2025
Unknown cyber actor accesses network; ransomware deployed; files exfiltrated
Nov 5, 2025
Suspicious activity detected; network access discovered the same day
Nov 24, 2025
Qilin ransomware group claims responsibility on dark-web leak site
Dec 5, 2025
Filed with HHS Office for Civil Rights (94,131 affected; Hacking/IT Incident, Network Server)
Jan 22, 2026
Plaintiff firm Strauss Borrelli PLLC announces investigation
Mar 31, 2026
Forensic data review of affected files completed
Apr 24, 2026
Individual notification letters mailed; AG filings submitted to Maine and 12+ other state attorneys general
Apr 28, 2026
Federman & Sherwood announces investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Columbia Medical Practice is a multi-specialty physician group in Columbia, Maryland (Howard County), founded in 2004, providing adult medicine, pediatrics, rheumatology, and dietitian services from a single campus. The practice operates under a Patient-Centered Medical Home (PCMH) model and serves patients from newborns through mature adults. On November 5, 2025, an unknown threat actor accessed a portion of the practice’s network, deployed ransomware to encrypt files, and exfiltrated patient data before encryption ran. The practice filed with the HHS Office for Civil Rights on December 5, 2025, reporting 94,131 affected individuals in a Hacking/IT Incident at a Network Server. The Qilin ransomware-as-a-service group claimed responsibility on its dark-web leak site on November 24, 2025.
The HIPAA Journal reported the incident, noting that the electronic medical record system itself was not accessed; exposure was limited to files on the affected network segment. BlackFog’s January 2026 ransomware state report listed the attack as one of 27 healthcare incidents that month, during which Qilin led all claimed groups with eight incidents.
Timeline
- November 5, 2025. An unauthorized actor accesses a portion of Columbia Medical Practice’s network, installs ransomware to encrypt files, and copies certain files off the network. The same day, the practice detects the activity and begins incident response. The electronic medical record system itself was not accessed; exposure was limited to files on the affected portion of the network.
- November 24, 2025. The Qilin ransomware-as-a-service group claims responsibility on its dark-web leak site, posting Columbia Medical Practice as a victim.
- December 5, 2025. Columbia Medical Practice files with HHS OCR: 94,131 affected, Hacking/IT Incident, Network Server.
- January 22, 2026. Plaintiff firm Strauss Borrelli PLLC publicly announces an investigation into potential class claims.
- On or about March 31, 2026. The forensic review of affected files concludes, identifying which individuals and data elements were involved.
- April 24, 2026. Individual notification letters are mailed; notices are simultaneously filed with attorneys general in Maine (six Maine residents affected) and a broad set of additional states whose residents received letters, including Massachusetts, California, New Hampshire, Vermont, Texas, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, and Washington (per multi-state AG tracker data).
- April 28, 2026. Federman & Sherwood announces its own class-action investigation.
What was exposed
The compromised files contain a broad mix of identity, financial, and clinical data. Per the practice’s notice and follow-on regulatory filings, exposed elements include:
- Full name, address, phone number, date of birth
- Social Security number
- Driver’s license number, passport number, other government identifiers
- Financial account information (account numbers, without security codes)
- Health insurance subscriber and identification number
- Patient account number
- Location of health services and dates of service
- Treatment or condition information, diagnosis, and diagnosis code
- Prescription information
Not every affected individual had every element exposed. The notification letter sent to each person lists the specific data elements involved for that person.
What the entity is offering
- Twelve months of complimentary credit monitoring and identity restoration services through TransUnion for affected individuals.
- A dedicated toll-free response line: 1-833-974-3375, Monday through Friday, 8 a.m. to 8 p.m. Eastern.
- Guidance on placing fraud alerts and credit freezes, included with the notification letter.
Class-action posture
At least four plaintiff firms have publicly announced investigations and are soliciting affected individuals:
- Strauss Borrelli PLLC (announced January 22, 2026)
- Federman & Sherwood (announced April 28, 2026)
- Shamis & Gentile P.A. (investigating)
- Dapeer Law P.A. (investigating)
No consolidated class complaint has been confirmed in federal court (D. Md.) as of this writing. Public filings, if and when docketed, will be added here.
What to do
- Place free credit freezes at Equifax, Experian, and TransUnion. With SSN, driver’s license, and passport numbers exposed together, freezing is the highest-leverage step.
- Enroll in the TransUnion monitoring offered in your notification letter. It is free and the enrollment code is in the letter.
- File IRS Form 14039 (Identity Theft Affidavit) to obtain an IP PIN and block fraudulent tax filings using your SSN.
- Replace exposed driver’s license or passport numbers through the Maryland MVA and the U.S. Department of State if the letter confirms either was involved.
- Watch for highly targeted phishing. Diagnosis and prescription data lets scammers craft uniquely convincing outreach. Be wary of unsolicited calls or emails that reference your specific conditions or medications.
- Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the diagnosis and prescription data exposed in this breach is not continuously re-shared by downstream entities.
Sources
- HHS Office for Civil Rights Breach Portal. Federal regulatory record (filed December 5, 2025; 94,131 affected; Hacking/IT Incident; Network Server).
- Columbia Medical Practice (cmpractice.com). Entity website hosting the notice of cybersecurity event and toll-free response line.
- Strauss Borrelli PLLC investigation page.
- Federman & Sherwood investigation page.
- teiss news coverage.
- HookPhish: Qilin victim profile for Columbia Medical Practice.
- HIPAA Journal: Columbia Medical Practice and Jupiter Medical Center Announce Data Breaches.
- BlackFog: The State of Ransomware January 2026. Monthly report confirming Qilin attribution.
- DeXpose: Qilin Targets Columbia Medical Practice in Ransomware Attack. Threat-intel analysis of Qilin leak-site posting.
- Dapeer Law P.A.: Columbia Medical Practice Data Breach Lawsuit Investigation.
- ClaimDepot: Columbia Medical Practice multi-state AG filing tracker.
- Maine Attorney General Data Breach Notices.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Columbia Medical Practice Notice of Cybersecurity Event
- Strauss Borrelli PLLC: Columbia Medical Practice Data Breach Investigation
- Federman & Sherwood: Columbia Medical Practice Data Breach Investigation
- teiss: Columbia Medical Practice Confirms November Ransomware Attack
- HookPhish: Ransomware Group Qilin Hits Columbia Medical Practice
- HIPAA Journal: Columbia Medical Practice and Jupiter Medical Center Announce Data Breaches
- BlackFog: The State of Ransomware January 2026 (includes Columbia Medical Practice)
- DeXpose: Qilin Targets Columbia Medical Practice in Ransomware Attack
- Dapeer Law P.A.: Columbia Medical Practice Data Breach Lawsuit Investigation
- ClaimDepot: Columbia Medical Practice Data Breach (multi-state AG filing tracker)
- Maine Attorney General Data Breach Notices
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.