MDLand International Corporation Data Breach 2025: 22,586 Affected · Ransomware on EHR/RCM Vendor · NY Business Associate. What To Do.
MDLand International Corporation, a New York City health information technology company that operates the iClinic EHR/RCM platform, filed a HIPAA breach notification with HHS OCR on August 04, 2025, reporting 22,586 affected individuals after a ransomware attack on its network server detected May 02, 2025. The HHS OCR portal classifies the event as a Hacking/IT Incident; HIPAA Journal and NetSec.news independently confirm the matter as a ransomware attack on the EHR vendor, with one month of patient records lost beyond recovery. Federman & Sherwood has publicly opened a class-action investigation.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 1, 2025
Ransomware attack against MDLand's network server (per HIPAA Journal and NetSec.news reporting)
May 2, 2025
MDLand detects systems are inaccessible; network isolated and third-party forensics engaged
Aug 4, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 22,586 affected, business associate present)
Aug 18, 2025
Federman & Sherwood publicly opens class-action investigation
May 1, 2025
Ransomware attack against MDLand's network server (per HIPAA Journal and NetSec.news reporting)
May 2, 2025
MDLand detects systems are inaccessible; network isolated and third-party forensics engaged
Aug 4, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 22,586 affected, business associate present)
Aug 18, 2025
Federman & Sherwood publicly opens class-action investigation
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
MDLand International Corporation, a New York City health information technology company that develops the iClinic EHR and revenue-cycle-management platform for medical practices, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 04, 2025, reporting 22,586 affected individuals. The federal regulatory record classifies the event as a Hacking/IT Incident at Network Server involving a business associate. Independent reporting by HIPAA Journal and NetSec.news characterizes the matter as a ransomware attack on the EHR vendor, detected on May 02, 2025 when certain MDLand systems became inaccessible.
Because MDLand sits underneath the medical practices that use iClinic, patients who learn of this breach will almost always receive notification from their doctor’s office or clinic rather than from MDLand directly. That practice is the covered entity for HIPAA notification purposes; MDLand is the business associate whose compromise triggered the chain of notifications.
Timeline
- May 01, 2025 — Ransomware deployment. HIPAA Journal and NetSec.news report the attack date as May 01, 2025. The attacker encrypted files on MDLand’s network server.
- May 02, 2025 — Detection. MDLand detected the intrusion within 24 hours when systems became inaccessible, isolated its network, and engaged third-party cybersecurity specialists for forensic investigation.
- August 04, 2025 — HHS OCR filing. MDLand reports the incident to the federal regulator. The portal entry records 22,586 affected, “Hacking/IT Incident,” location of breached PHI “Network Server,” covered entity type Business Associate.
- August 18, 2025 — Class-action investigation opens. Federman & Sherwood publicly opens an investigation into legal claims on behalf of affected individuals.
The roughly three-month gap between detection in early May and the OCR filing on August 04, 2025 falls within the HIPAA Breach Notification Rule’s 60-day-from-discovery window when measured from MDLand’s determination of breach scope rather than the initial detection date. MDLand has stated that no unauthorized access to client networks or systems was identified and no evidence was found that the data in the impacted database was viewed or exfiltrated by the attacker.
What was exposed
Per MDLand’s notification and independent reporting, the affected database contained the following data elements for the 22,586 individuals:
- Patient names
- Dates of birth
- Gender
- Marital status
- Home addresses
- Phone numbers
- Prescription information
Not involved in the impacted database, per MDLand’s statements to HIPAA Journal and NetSec.news: financial account information, Social Security numbers, and health benefits information.
Separately, MDLand has acknowledged that records input into patient charts during the period April 01, 2025 through May 01, 2025 were lost beyond recovery. Lost records include treatment plan information and providers’ notes captured during that one-month window. Affected practices and patients may notice gaps in chart history for that period. The lost data is a recovery failure, not an unauthorized-disclosure event in the strict HIPAA sense, but it is part of the same incident and part of what the individual notification letter describes.
Who notifies you (and why it is your doctor, not MDLand)
MDLand is a business associate to the medical practices that license iClinic. Under HIPAA, the practice (the covered entity) typically issues the patient-facing notification letter, sometimes co-signed with the business associate. If you receive a letter from a primary-care physician, internal medicine office, or specialist that says something like “our electronic health record vendor experienced a cybersecurity incident,” and the letter references MDLand or iClinic, this is the incident it refers to.
Treat the individual notification letter as authoritative for your record. It will list the specific data elements involved for you, the offering of complimentary credit monitoring, the enrollment portal, and the enrollment deadline.
Class-action posture
The matter is in the early plaintiff-firm investigation stage. Federman & Sherwood publicly opened a class-action investigation on August 18, 2025. Console & Associates, P.C. has also publicly examined the matter. As of the last update to this page, no consolidated class-action complaint has been publicly identified through the sources reviewed here. The matter remains OCR-open for federal regulatory purposes.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. The MDLand database did not include Social Security numbers or financial account data, which lowers the immediate identity-theft risk, but a credit freeze remains the single highest-leverage protective step and is free.
- Enroll in the complimentary credit monitoring MDLand has offered (12 months of credit monitoring and identity-theft protection). Enrollment details will be in your individual notification letter.
- Watch for medical identity theft and prescription fraud. Because prescription information was in the impacted database, review pharmacy records and explanation-of-benefits statements for medications you did not receive.
- Ask your doctor’s office about chart gaps for April 2025. If you had a visit, lab result, or prescription change between April 01 and May 01, 2025, ask the practice to confirm those notes are still in your chart or to re-document if necessary.
- Preserve your notification letter. If a class action is filed and certified, the letter is evidence of class membership.
- Bookmark this page. We update it as the individual notification letter, state-AG filings, established trade-press coverage, or court filings become public.
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach (22,586 affected, Hacking/IT Incident, Network Server, Business Associate, filed August 04, 2025).
- HIPAA Journal — Patient Data Lost in Ransomware Attack on EHR Vendor — confirms ransomware classification, May 02, 2025 detection date, 22,586 affected count, data-element inventory, and lost-records window of April 01 to May 01, 2025.
- NetSec.News — MDLand International Ransomware Attack Affects Patient EHR — independently corroborates the ransomware characterization, detection-within-24-hours timeline, data elements involved, and the 12-month credit-monitoring offering.
- Federman & Sherwood — MDLand International Corporation Data Breach Investigation — plaintiff-firm investigation page; describes the matter as a hacking/IT incident affecting MDLand’s network server at a healthcare business associate.
- MDLand International Corporation — Company Website (iClinic EHR) — entity’s public-facing description of its iClinic EHR/RCM platform for medical practices.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Patient Data Lost in Ransomware Attack on EHR Vendor
- NetSec.News — MDLand International Ransomware Attack Affects Patient EHR
- Federman & Sherwood — MDLand International Corporation Data Breach Investigation
- MDLand International Corporation — Company Website (iClinic EHR)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.