Active breach tracker Frederick, Maryland Disclosed March 28, 2025

Frederick Health Data Breach 2025: 934,326 Patients Exposed in January Ransomware Attack at Maryland Community Hospital. What To Do

Frederick Health, a community hospital and health system in Frederick, Maryland, was hit by a January 27, 2025 ransomware attack that forced systems offline, triggered ambulance diversion, and exfiltrated a file-share server containing names, addresses, dates of birth, Social Security numbers, driver's license numbers, medical record numbers, health insurance details, and clinical information for 934,326 individuals. At least five class-action suits were filed by March.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 25, 2025

Unauthorized actor first accessed Frederick Health's network (per forensic investigation)

Jan 27, 2025

Ransomware detonated; systems taken offline; hospital placed on red/yellow alert and diverted ambulances; Frederick Health issued public statement

Mar 4, 2025

First class-action complaint filed in the U.S. District Court for the District of Maryland on behalf of patients Ernest Farkas and Joseph Kingsman

Mar 28, 2025

HHS OCR breach report filed and substitute notice issued; individual notification letters mailed

Mar 28, 2025

Additional class-action complaints filed (Shoemaker, Chaillet, Kibler, McCreary) bringing the total to at least five

Mar 28, 2025

Disclosed publicly

Apr 25, 2025

Fitch Ratings removes Frederick Health from Ratings Watch Negative; IDR and revenue bonds affirmed at 'BBB' as operational recovery progresses

Apr 10, 2026

Fitch re-affirms 'BBB' Stable Outlook; notes increased cybersecurity investment post-incident; flags pending litigation as ongoing rating pressure factor

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical record number Clinical information related to patient care

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Thomas Pacheco (counsel for Shoemaker, Chaillet, and Kibler) Daniel Tomascik (counsel for McCreary) Shamis & Gentile P.A. (investigating) Sauder Schelkopf LLC (investigating) Federman & Sherwood (investigating) Console & Associates P.C. (investigated)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Frederick Health is a community-owned hospital and integrated health system serving Frederick County, Maryland, with roughly 4,000 employees across the flagship Frederick Health Hospital and more than 25 outpatient, urgent-care, primary-care, and specialty locations. On the morning of January 27, 2025, the system identified an active ransomware event and took its IT environment offline. Forensic investigation later established that an unauthorized actor first accessed the network on January 25, 2025 and copied files from a file-share server before the ransomware was triggered.

On March 28, 2025, Frederick Health filed its breach report with the HHS Office for Civil Rights, issued a substitute notice, and began mailing individual notification letters. The final tally on the OCR portal is 934,326 individuals, making this one of the largest healthcare breaches reported in the first half of 2025. Frederick Health has stated the electronic medical record system itself was not accessed; the stolen files lived on a separate file-share server.

Frederick Health engaged Fortified Health Security as its incident-response partner. In a case study published with Frederick Health’s permission on January 28, 2026, Fortified Health Security’s Director of Threat Defense Services, Jake Bice, described the attack timeline and recovery: the forensic and legal review process that required two months from detection to notification was noted as faster than the industry norm for ransomware events of this complexity.

Timeline

  • January 25, 2025 — Initial unauthorized network access, per the forensic timeline reported in Frederick Health’s substitute notice.
  • January 27, 2025 — Ransomware activates. Frederick Health takes systems offline, posts a public statement, and notifies law enforcement. Frederick Health Hospital goes on red alert (no adult critical-care beds available) and yellow alert (emergency department requesting no new urgent patients); ambulances are diverted to neighboring emergency departments.
  • Late January–early February 2025 — One lab facility temporarily closes; remaining facilities stay open using downtime procedures. The CEO reports “significant progress” in restoring systems by February 6.
  • March 4, 2025 — First class-action complaint filed in the U.S. District Court for the District of Maryland on behalf of patients Ernest Farkas and Joseph Kingsman.
  • March 28, 2025 — OCR breach filing logged; substitute notice published; individual letters mailed.
  • March 28, 2025 (and following days) — Additional class-action complaints filed by Maryland residents James Shoemaker, Jaquelyn Chaillet, Wesley Kibler, and Jennifer McCreary, bringing the public count to at least five suits.

What was exposed

Per Frederick Health’s substitute notice, the data elements that were copied from the file-share server (varying by individual) include:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Medical record number
  • Health insurance information
  • Clinical information related to patient care

The combination of SSN, driver’s license number, and medical-insurance details is the high-risk identity-theft set: enough to support synthetic identity fraud, medical identity theft, and tax-refund fraud.

Operational impact

This was an unusually disruptive incident for a community hospital. According to local reporting in the Frederick News-Post and confirmed by industry trade press:

  • Ambulances diverted to nearby emergency departments because Frederick Health Hospital’s ED was not accepting new patients needing urgent care.
  • Red alert in effect: no adult critical-care beds available.
  • Yellow alert in effect for the emergency department.
  • “Mini disaster” designation invoked, the same posture used for events like gas leaks, fires, or power outages.
  • Frederick County was notified of interference with the hospital’s communications systems.
  • All outpatient facilities remained open but provided care using backup and downtime procedures, with delays to certain services.
  • At least one lab facility was temporarily closed during the early recovery window.
  • Systems were unavailable for approximately three weeks before restoration was completed, per Fitch Ratings’ contemporaneous credit analysis.

The patient-safety dimension distinguishes this breach from a pure data-theft event. The diversion period creates downstream civil-liability exposure tied to delayed care, not just consumer-data harm.

What Frederick Health is offering

Frederick Health has stated that it has offered complimentary credit monitoring and identity-theft protection to notified individuals, and that it has implemented additional cybersecurity safeguards. The specific monitoring vendor, term length, and enrollment deadline are not visible in publicly summarized reporting — read your specific notification letter for the activation code and enrollment window, or call the dedicated response line listed in the letter.

Financial and credit-rating impact

The ransomware attack triggered an immediate credit-rating action. On February 19, 2025, Fitch Ratings downgraded Frederick Health’s Issuer Default Rating and revenue bonds to ‘BBB’ and placed the ratings on Negative Watch, directly citing the attack and the three-week system outage. Fitch noted that downtime procedures slow patient throughput and that the full financial and reputational cost of the event could not be measured at that stage.

On April 25, 2025, Fitch removed the Negative Watch designation and affirmed the ‘BBB’ rating, reflecting progress in operational recovery. Fitch re-affirmed the same rating with a Stable Outlook on April 10, 2026, noting that cybersecurity investments had increased following the incident. However, Fitch explicitly flagged pending litigation from the class-action suits as a factor that could pressure the rating if it materially affects financial metrics.

As of the April 2026 review, Frederick Health reported unrestricted cash and investments of $221 million (approximately 74% of adjusted debt) and 143 days cash on hand — adequate for the ‘BBB’ level but with limited headroom.

Class-action and regulatory posture

At least five class-action complaints have been filed in the U.S. District Court for the District of Maryland. Named plaintiffs include Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary. Attorneys publicly tied to those filings include Thomas Pacheco (for Shoemaker, Chaillet, and Kibler) and Daniel Tomascik (for McCreary). Shamis & Gentile P.A., Sauder Schelkopf LLC, and Federman & Sherwood have all opened public investigations. Console & Associates P.C. also investigated. The ClassAction.org intake investigation has since been marked closed.

The complaints assert negligence for failing to implement reasonable and appropriate cybersecurity measures, breach of fiduciary duty, breach of implied contract, and similar state-law claims. Several also challenge the adequacy and timing of Frederick Health’s breach notice.

Frederick Health filed breach notifications with at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and others. A filing was also submitted to the U.S. Securities and Exchange Commission.

The HHS OCR investigation remains open. No ransomware operator has claimed the attack on a public leak site, and no stolen Frederick Health data has surfaced on dark-web forums. This pattern suggests either that a ransom was paid privately or that the actor chose not to list the victim publicly. Frederick Health has not confirmed payment.

What to do

  1. Read your specific notification letter carefully to confirm which data elements applied to you and whether your SSN and driver’s license number were in scope.
  2. Enroll in the offered credit monitoring using the activation code in your letter, before the deadline.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account fraud.
  4. File IRS Form 14039 (Identity Theft Affidavit) if your SSN was exposed, to block fraudulent tax-refund filings in your name.
  5. Replace your driver’s license through the Maryland MVA if your license number was in scope. The MVA can issue a new number on request when you cite the breach.
  6. Watch your Explanation of Benefits statements from your health insurer for any care you did not receive — medical identity theft typically surfaces this way.
  7. Stop the ongoing flow of your records. HealthConsent files HIPAA restriction requests so the medical-insurance, prescription, and clinical data exposed in this breach is not continuously re-shared with downstream payers, PBMs, and data brokers.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.