Baltimore Medical System, the largest Federally Qualified Health Center in Maryland, suffered a ransomware attack between July 2 and July 20, 2025. The Brain Cipher ransomware group claimed responsibility on September 16, 2025 by listing BMS on its dark-web leak site and posting data samples reportedly exceeding 800 GB, including what appeared to be database and file-system backups from BMS servers. BMS publicly disclosed the incident on September 26, 2025 and began notifying affected individuals.

The breach affected approximately 638,000 records across the BMS network. Compromised fields include names, contact details, dates of birth, Social Security numbers, medical record and patient identification numbers, medical and treatment information, lab results, Medicare and Medicaid identifiers, health insurance and claims details, and financial account information. The high record count reflects the scope of stored data on affected systems, which includes current and former patients, family contacts, and historical records, beyond the approximately 90,000 patients BMS actively serves at any given time.

For affected individuals, the practical risk is unusually severe because of the combination of identity, financial, medical, and federal-program identifiers. The pairing of name, address, date of birth, and Social Security number is a strong base for synthetic identity fraud and fraudulent credit applications. Medicare and Medicaid identifiers create additional risk of healthcare-program fraud, including fraudulent claims billed under affected patients' identities. Affected individuals should freeze credit at all three U.S. bureaus, monitor health-insurance and Medicare summary notices closely for unfamiliar charges, and treat unsolicited contact referencing BMS, healthcare benefits, or insurance verification with caution. Patients in vulnerable populations who use FQHCs are particular targets for healthcare-fraud and emotional-manipulation scams, and should rely on calls back to verified BMS phone numbers rather than responding to inbound contact.

Community clinic networks collect patient identity, contact, insurance, billing, and treatment records across primary and specialty care services.

Baltimore Medical System discovered suspicious network activity in late summer 2025 and engaged third-party cybersecurity specialists to investigate. The forensic review concluded that an unauthorized actor accessed and copied files between July 2 and July 20, 2025. BMS issued an initial public notice on September 26, 2025 and began an extended file-review process to identify affected individuals. Notification letters were mailed in two waves, with the second beginning on or around April 2, 2026. The Brain Cipher ransomware group publicly claimed responsibility on September 16, 2025 by listing BMS on its dark-web leak site and posting samples reportedly exceeding 800 GB. Class-action investigations by U.S. plaintiff law firms began following the September disclosure.