MedStar Health Data Breach 2025 (Rhysida Ransomware): 64,332 DC/Baltimore Patients Exposed. Data Published on Dark Web. What To Do
MedStar Health reported a September 2025 Rhysida ransomware attack to HHS OCR on December 3, 2025, affecting 64,332 patients. Rhysida published 3.7 TB of stolen data after MedStar did not pay. A federal class action is active. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 12, 2025
Unauthorized third party gains access to MedStar internal systems containing patient data
Sep 16, 2025
Window of unauthorized access ends; Rhysida exfiltrates approximately 3.7 TB of files
Oct 4, 2025
MedStar Health discovers the intrusion after Rhysida posts the stolen data on its dark-web leak site with a 7-day countdown and a 25-bitcoin ransom demand; MedStar engages forensic experts and notifies the FBI
Oct 4, 2025
Rhysida lists MedStar data for sale on dark-web auction site; third-party monitors capture the posting the same day
Nov 12, 2025
Forensic review confirms compromised files contained patient PHI including SSNs and clinical detail
Dec 3, 2025
MedStar Health, Inc. files HIPAA breach notification with HHS OCR (64,332 individuals, Hacking/IT Incident, Network Server) and begins mailing individual notification letters; Rhysida publishes the stolen files after MedStar does not pay the ransom
Dec 15, 2025
Consolidated federal class action filed in the U.S. District Court for the District of Maryland (case no. 1:25-cv-03325-BAH) alleging negligent failure to safeguard patient data
Sep 12, 2025
Unauthorized third party gains access to MedStar internal systems containing patient data
Sep 16, 2025
Window of unauthorized access ends; Rhysida exfiltrates approximately 3.7 TB of files
Oct 4, 2025
MedStar Health discovers the intrusion after Rhysida posts the stolen data on its dark-web leak site with a 7-day countdown and a 25-bitcoin ransom demand; MedStar engages forensic experts and notifies the FBI
Oct 4, 2025
Rhysida lists MedStar data for sale on dark-web auction site; third-party monitors capture the posting the same day
Nov 12, 2025
Forensic review confirms compromised files contained patient PHI including SSNs and clinical detail
Dec 3, 2025
MedStar Health, Inc. files HIPAA breach notification with HHS OCR (64,332 individuals, Hacking/IT Incident, Network Server) and begins mailing individual notification letters; Rhysida publishes the stolen files after MedStar does not pay the ransom
Dec 15, 2025
Consolidated federal class action filed in the U.S. District Court for the District of Maryland (case no. 1:25-cv-03325-BAH) alleging negligent failure to safeguard patient data
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
MedStar Health, Inc. is the largest nonprofit health system serving the Washington, D.C. and Baltimore region. It operates 10 hospitals and more than 300 ambulatory care and urgent care sites across Maryland, Virginia, and the District of Columbia, serving millions of patients across the two-metro area.
Between September 12 and September 16, 2025, the ransomware group Rhysida gained unauthorized access to MedStar’s internal network servers and exfiltrated approximately 3.7 terabytes of patient data, which Rhysida described as containing over 7 million pieces of patient information. MedStar discovered the intrusion on October 4, 2025 after Rhysida posted the stolen files on its dark-web leak site using MedStar’s own logo, set a seven-day countdown timer, and demanded 25 bitcoin as ransom. The FBI was notified, and MedStar engaged third-party forensic experts immediately.
MedStar did not pay the ransom. Rhysida published the stolen files publicly. By November 12, 2025, forensic review confirmed that the accessed files contained patient PHI, including names, dates of birth, and Social Security numbers, along with clinical detail. MedStar filed the breach with HHS OCR on December 3, 2025, reporting 64,332 individuals affected as the corporate-entity count. The HHS OCR figure represents a subset of those notified; Rhysida’s own leak-site posting and subsequent third-party analysis suggest the underlying exfiltration is larger. MedStar began mailing individual notification letters on December 3, 2025, the 60th day after discovery and the final day permitted under HIPAA’s 60-day notification clock.
This is the third distinct cyber event in MedStar’s recent history and should not be confused with either (a) the March 2016 ransomware attack, which forced a system-wide paper-records shutdown but resulted in no disclosed PHI exfiltration, or (b) the 2023 email-account compromise affecting approximately 184,000 individuals that was resolved through the Riddick v. MedStar Health, Inc. class action settlement (case no. 1:24-cv-01335-BAH) for $1.35 million. A separate March 2025 Oracle Health (Cerner) vendor incident affecting MedStar St. Mary’s patients is also a distinct event. This page covers only the September 2025 Rhysida ransomware filing.
MedStar filed breach notices with the attorneys general of at least 14 states: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and Maryland. The breach was also reported to the U.S. Securities and Exchange Commission.
What was stolen
Per MedStar’s public notice text, quoted in the class action complaint (case 1:25-cv-03325-BAH), the confirmed and “potentially” exposed categories are:
Confirmed by MedStar’s own notice:
- Names and dates of birth
- Social Security numbers
- Driver’s license numbers (for a subset of affected patients)
Potentially included, per MedStar’s notice:
- Diagnoses, medications, and test results
- Medical images
- Health insurance and treatment information
Independent trackers and the class action complaint additionally reference home addresses, phone numbers, and email addresses as part of the exfiltrated dataset, consistent with what a registration-level patient record at a major health system would contain. MedStar’s notice uses “potentially” for the clinical categories; individual notification letters identify the specific elements exposed for each recipient. Read your letter for the elements that apply to your record.
Not every data element applies to every notified person.
What MedStar is offering
MedStar is offering 12 months of complimentary identity monitoring to patients whose Social Security numbers or driver’s license numbers may have been involved. Enrollment instructions and an activation code are included in individual notification letters. The identity-monitoring provider is not named in MedStar’s public-facing notice at the time of this writing.
A dedicated toll-free call center is available Monday through Friday, 9 a.m. to 9 p.m. Eastern, at 855-403-1763.
Class actions
A consolidated federal class action was filed on December 15, 2025 in the U.S. District Court for the District of Maryland, case number 1:25-cv-03325-BAH, before Judge Benson Everett Legg. The complaint alleges negligence, violation of the Maryland Personal Information Protection Act, and violation of the Maryland Consumer Protection Act. Named plaintiffs include individuals who received breach notification letters and experienced documented downstream harm: at least one plaintiff’s Social Security number appeared on Rhysida’s dark-web posting, and another plaintiff had an unauthorized credit account opened in her name with $300 in fraudulent charges following the breach.
The complaint references Rhysida’s use of MedStar’s own logo in its dark-web listing, the 7-day countdown clock, the 25-bitcoin ransom demand, and the subsequent publication of the data after MedStar declined to pay. Relief sought includes compensatory damages, injunctive relief requiring MedStar to strengthen its security controls, and attorney fees.
This action is separate from the Riddick v. MedStar Health, Inc. litigation (case no. 1:24-cv-01335-BAH) that settled the 2023 email-compromise breach for $1.35 million. That matter is closed for class-member purposes; the settlement administrator at medstarsettlement.com handles remaining claims.
What to do
-
Enroll in the offered identity monitoring. The letter includes an activation code for 12 months of complimentary identity monitoring. Enroll before the deadline stated in your letter, even if your clinical detail was not among the confirmed categories. SSNs from this breach are confirmed on Rhysida’s dark-web posting.
-
Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion each accept freeze requests at no cost. A freeze blocks new-account fraud even when someone holds your SSN and date of birth. With SSNs confirmed as part of this breach, a freeze is the highest-leverage protective step you can take.
-
File IRS Form 14039 (Identity Theft Affidavit). Because Social Security numbers are confirmed as exposed, file Form 14039 with the IRS to flag your account for fraudulent return activity before next tax season. The IRS also issues an Identity Protection PIN after you file the form.
-
Watch for medical identity theft. Review every explanation-of-benefits statement from your insurer and every Medicare Summary Notice for care you did not receive. Medical identity thieves use stolen health insurance information to bill for procedures; the financial consequences can affect your benefits ceiling and your credit file.
-
Treat unexpected contacts referencing your MedStar care with skepticism. With name, date of birth, diagnosis detail, and home address potentially in circulation, threat actors can craft convincing phishing and extortion lures. MedStar will not ask for your Social Security number or payment by phone. Do not click links in unsolicited emails referencing this breach.
-
Preserve your notification letter and envelope. Plaintiff counsel in the District of Maryland action (case 1:25-cv-03325-BAH) will request them when you sign up for potential class participation.
-
Call MedStar’s incident line at 855-403-1763 if you have not received a letter but believe you may be affected, or if you have questions about the specific data elements involved in your record.
-
Stop the ongoing flow of your healthcare data. HealthConsent files HIPAA restriction requests so the clinical data — diagnoses, medications, test results, and medical images — exposed in this breach is not continuously re-shared with insurers, data brokers, and downstream health information networks across the D.C. and Baltimore metro area.
Continue reading
- Your HIPAA rights — how to restrict how your health information is shared going forward
- All tracked breaches — browse every HHS OCR filing we cover
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- MedStar Health — Official Data Incident Notice
- HIPAA Journal — Notifications Issued About MedStar Health Data Breach
- BankInfoSecurity — MedStar Health Notifying Patients of Data Theft Breach
- Paubox — MedStar Health Faces Federal Class Action After Ransomware Data Breach
- Maryland Attorney General — Security Breach Notices
- BreachSpot — MedStar Health Informs Patients of Data Breach Incident
- Amended Consolidated Class Action Complaint — MedStar Health 2025 Data Security Litigation (1:25-cv-03325-BAH)
- ClaimDepot — MedStar Health Data Breach Exposes Sensitive PII and PHI (multi-state AG filing tracker)
- ObscureIQ — MedStar Health System Ransomware Breach 2025
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.