Frederick Health Data Breach 2025: 934,326 Patients Exposed in January Ransomware Attack at Maryland Community Hospital. What To Do
Frederick Health, a community hospital and health system in Frederick, Maryland, was hit by a January 27, 2025 ransomware attack that forced systems offline, triggered ambulance diversion, and exfiltrated a file-share server containing names, addresses, dates of birth, Social Security numbers, driver's license numbers, medical record numbers, health insurance details, and clinical information for 934,326 individuals. At least five class-action suits were filed by March.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 25, 2025
Unauthorized actor first accessed Frederick Health's network (per forensic investigation)
Jan 27, 2025
Ransomware detonated; systems taken offline; hospital placed on red/yellow alert and diverted ambulances; Frederick Health issued public statement
Mar 4, 2025
First class-action complaint filed in the U.S. District Court for the District of Maryland on behalf of patients Ernest Farkas and Joseph Kingsman
Mar 28, 2025
HHS OCR breach report filed and substitute notice issued; individual notification letters mailed
Mar 28, 2025
Additional class-action complaints filed (Shoemaker, Chaillet, Kibler, McCreary) bringing the total to at least five
Mar 28, 2025
Disclosed publicly
Apr 25, 2025
Fitch Ratings removes Frederick Health from Ratings Watch Negative; IDR and revenue bonds affirmed at 'BBB' as operational recovery progresses
Apr 10, 2026
Fitch re-affirms 'BBB' Stable Outlook; notes increased cybersecurity investment post-incident; flags pending litigation as ongoing rating pressure factor
Jan 25, 2025
Unauthorized actor first accessed Frederick Health's network (per forensic investigation)
Jan 27, 2025
Ransomware detonated; systems taken offline; hospital placed on red/yellow alert and diverted ambulances; Frederick Health issued public statement
Mar 4, 2025
First class-action complaint filed in the U.S. District Court for the District of Maryland on behalf of patients Ernest Farkas and Joseph Kingsman
Mar 28, 2025
HHS OCR breach report filed and substitute notice issued; individual notification letters mailed
Mar 28, 2025
Additional class-action complaints filed (Shoemaker, Chaillet, Kibler, McCreary) bringing the total to at least five
Mar 28, 2025
Disclosed publicly
Apr 25, 2025
Fitch Ratings removes Frederick Health from Ratings Watch Negative; IDR and revenue bonds affirmed at 'BBB' as operational recovery progresses
Apr 10, 2026
Fitch re-affirms 'BBB' Stable Outlook; notes increased cybersecurity investment post-incident; flags pending litigation as ongoing rating pressure factor
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Frederick Health is a community-owned hospital and integrated health system serving Frederick County, Maryland, with roughly 4,000 employees across the flagship Frederick Health Hospital and more than 25 outpatient, urgent-care, primary-care, and specialty locations. On the morning of January 27, 2025, the system identified an active ransomware event and took its IT environment offline. Forensic investigation later established that an unauthorized actor first accessed the network on January 25, 2025 and copied files from a file-share server before the ransomware was triggered.
On March 28, 2025, Frederick Health filed its breach report with the HHS Office for Civil Rights, issued a substitute notice, and began mailing individual notification letters. The final tally on the OCR portal is 934,326 individuals, making this one of the largest healthcare breaches reported in the first half of 2025. Frederick Health has stated the electronic medical record system itself was not accessed; the stolen files lived on a separate file-share server.
Frederick Health engaged Fortified Health Security as its incident-response partner. In a case study published with Frederick Health’s permission on January 28, 2026, Fortified Health Security’s Director of Threat Defense Services, Jake Bice, described the attack timeline and recovery: the forensic and legal review process that required two months from detection to notification was noted as faster than the industry norm for ransomware events of this complexity.
Timeline
- January 25, 2025 — Initial unauthorized network access, per the forensic timeline reported in Frederick Health’s substitute notice.
- January 27, 2025 — Ransomware activates. Frederick Health takes systems offline, posts a public statement, and notifies law enforcement. Frederick Health Hospital goes on red alert (no adult critical-care beds available) and yellow alert (emergency department requesting no new urgent patients); ambulances are diverted to neighboring emergency departments.
- Late January–early February 2025 — One lab facility temporarily closes; remaining facilities stay open using downtime procedures. The CEO reports “significant progress” in restoring systems by February 6.
- March 4, 2025 — First class-action complaint filed in the U.S. District Court for the District of Maryland on behalf of patients Ernest Farkas and Joseph Kingsman.
- March 28, 2025 — OCR breach filing logged; substitute notice published; individual letters mailed.
- March 28, 2025 (and following days) — Additional class-action complaints filed by Maryland residents James Shoemaker, Jaquelyn Chaillet, Wesley Kibler, and Jennifer McCreary, bringing the public count to at least five suits.
What was exposed
Per Frederick Health’s substitute notice, the data elements that were copied from the file-share server (varying by individual) include:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number
- Medical record number
- Health insurance information
- Clinical information related to patient care
The combination of SSN, driver’s license number, and medical-insurance details is the high-risk identity-theft set: enough to support synthetic identity fraud, medical identity theft, and tax-refund fraud.
Operational impact
This was an unusually disruptive incident for a community hospital. According to local reporting in the Frederick News-Post and confirmed by industry trade press:
- Ambulances diverted to nearby emergency departments because Frederick Health Hospital’s ED was not accepting new patients needing urgent care.
- Red alert in effect: no adult critical-care beds available.
- Yellow alert in effect for the emergency department.
- “Mini disaster” designation invoked, the same posture used for events like gas leaks, fires, or power outages.
- Frederick County was notified of interference with the hospital’s communications systems.
- All outpatient facilities remained open but provided care using backup and downtime procedures, with delays to certain services.
- At least one lab facility was temporarily closed during the early recovery window.
- Systems were unavailable for approximately three weeks before restoration was completed, per Fitch Ratings’ contemporaneous credit analysis.
The patient-safety dimension distinguishes this breach from a pure data-theft event. The diversion period creates downstream civil-liability exposure tied to delayed care, not just consumer-data harm.
What Frederick Health is offering
Frederick Health has stated that it has offered complimentary credit monitoring and identity-theft protection to notified individuals, and that it has implemented additional cybersecurity safeguards. The specific monitoring vendor, term length, and enrollment deadline are not visible in publicly summarized reporting — read your specific notification letter for the activation code and enrollment window, or call the dedicated response line listed in the letter.
Financial and credit-rating impact
The ransomware attack triggered an immediate credit-rating action. On February 19, 2025, Fitch Ratings downgraded Frederick Health’s Issuer Default Rating and revenue bonds to ‘BBB’ and placed the ratings on Negative Watch, directly citing the attack and the three-week system outage. Fitch noted that downtime procedures slow patient throughput and that the full financial and reputational cost of the event could not be measured at that stage.
On April 25, 2025, Fitch removed the Negative Watch designation and affirmed the ‘BBB’ rating, reflecting progress in operational recovery. Fitch re-affirmed the same rating with a Stable Outlook on April 10, 2026, noting that cybersecurity investments had increased following the incident. However, Fitch explicitly flagged pending litigation from the class-action suits as a factor that could pressure the rating if it materially affects financial metrics.
As of the April 2026 review, Frederick Health reported unrestricted cash and investments of $221 million (approximately 74% of adjusted debt) and 143 days cash on hand — adequate for the ‘BBB’ level but with limited headroom.
Class-action and regulatory posture
At least five class-action complaints have been filed in the U.S. District Court for the District of Maryland. Named plaintiffs include Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary. Attorneys publicly tied to those filings include Thomas Pacheco (for Shoemaker, Chaillet, and Kibler) and Daniel Tomascik (for McCreary). Shamis & Gentile P.A., Sauder Schelkopf LLC, and Federman & Sherwood have all opened public investigations. Console & Associates P.C. also investigated. The ClassAction.org intake investigation has since been marked closed.
The complaints assert negligence for failing to implement reasonable and appropriate cybersecurity measures, breach of fiduciary duty, breach of implied contract, and similar state-law claims. Several also challenge the adequacy and timing of Frederick Health’s breach notice.
Frederick Health filed breach notifications with at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and others. A filing was also submitted to the U.S. Securities and Exchange Commission.
The HHS OCR investigation remains open. No ransomware operator has claimed the attack on a public leak site, and no stolen Frederick Health data has surfaced on dark-web forums. This pattern suggests either that a ransom was paid privately or that the actor chose not to list the victim publicly. Frederick Health has not confirmed payment.
What to do
- Read your specific notification letter carefully to confirm which data elements applied to you and whether your SSN and driver’s license number were in scope.
- Enroll in the offered credit monitoring using the activation code in your letter, before the deadline.
- Place free credit freezes at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account fraud.
- File IRS Form 14039 (Identity Theft Affidavit) if your SSN was exposed, to block fraudulent tax-refund filings in your name.
- Replace your driver’s license through the Maryland MVA if your license number was in scope. The MVA can issue a new number on request when you cite the breach.
- Watch your Explanation of Benefits statements from your health insurer for any care you did not receive — medical identity theft typically surfaces this way.
- Stop the ongoing flow of your records. HealthConsent files HIPAA restriction requests so the medical-insurance, prescription, and clinical data exposed in this breach is not continuously re-shared with downstream payers, PBMs, and data brokers.
Sources
- HIPAA Journal: Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients — substitute-notice details, data elements, lawsuit count, named plaintiffs.
- HIPAA Journal: Frederick Health Recovering from Ransomware Attack — initial reporting, operational status as of February 6.
- BleepingComputer: Frederick Health data breach impacts nearly 1 million patients — file-share server exfiltration confirmation, no-leak-site context.
- Frederick News-Post: Frederick Health takes systems offline due to ransomware attack — local reporting on red/yellow alert, ambulance diversion, county notification.
- Becker’s Hospital Review: Maryland hospital faces 4 lawsuits over ransomware breach — legal-track coverage.
- Sauder Schelkopf: Frederick Health Data Breach Class Action Investigation — plaintiff-firm intake page.
- Frederick Health Official Statement (Facebook, January 27, 2025) — entity’s first-party statement.
- Fitch Ratings: Downgrades Frederick Health to ‘BBB’; Ratings on Negative Watch (February 19, 2025) — credit-rating action; three-week outage confirmed; financial-impact assessment.
- Fitch Ratings: Removes Frederick Health from Negative Watch; IDR Affirmed at ‘BBB’ (April 25, 2025) — rating restored to stable; operational recovery confirmed.
- Fitch Ratings: Affirms Frederick Health at ‘BBB’; Outlook Stable (April 10, 2026) — long-term financial profile; litigation flagged as pressure factor; cybersecurity investment confirmed.
- Health IT Answers / Fortified Health Security: Behind-the-Scenes Look at the Frederick Health Ransomware Attack (January 28, 2026) — Frederick Health-authorized case study naming Fortified Health Security as incident-response partner; recovery-stage breakdown.
- Paubox: Frederick Health ransomware attack affects nearly 1 million (May 6, 2025) — independent trade-press confirmation; no dark-web surfacing of data.
- HHS Office for Civil Rights Breach Portal — federal regulatory record.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients
- HIPAA Journal: Frederick Health Recovering from Ransomware Attack (initial reporting)
- BleepingComputer: Frederick Health data breach impacts nearly 1 million patients
- Frederick News-Post: Frederick Health takes systems offline due to ransomware attack
- Becker's Hospital Review: Maryland hospital faces 4 lawsuits over ransomware breach
- Sauder Schelkopf: Frederick Health Data Breach Class Action Investigation
- Frederick Health Official Statement (Facebook, January 27, 2025)
- Fitch Ratings: Downgrades Frederick Health, MD IDR and Revenue Bonds to 'BBB'; Ratings on Negative Watch (February 19, 2025)
- Fitch Ratings: Removes Frederick Health, MD from Negative Watch; IDR and Revenue Bonds Affirmed at 'BBB' (April 25, 2025)
- Fitch Ratings: Affirms Frederick Health, MD at 'BBB'; Outlook Stable (April 10, 2026)
- Health IT Answers / Fortified Health Security: Behind-the-Scenes Look at the Frederick Health Ransomware Attack (January 28, 2026)
- Paubox: Frederick Health ransomware attack affects nearly 1 million (May 6, 2025)
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.