CRITICAL SEVERITYMedical

Medstar Health Data Breach

MedStar Health System Ransomware Breach (2025): 4.6 Million Patient Records Including Medical Diagnoses & SSN Exposed

Nonprofit healthcare system operating hospitals and clinics in the Mid-Atlantic.

Verified by ObscureIQ Intelligence
Xinf@

10.0Severity
4.6MRecords
6Fields
2025Year

ObscureIQ Breach Intelligence Scores
0.0
Breach Risk Index
63
Data Value
40
Market Recency
188
days
Since Breach

Risk Interpretation

Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.

🎯 Impact & Downstream Threats

Rhysida ransomware attackers gained unauthorized access to MedStar systems between September 12 and September 16, 2025, exfiltrating 3.7 terabytes of data claimed to include over 7 million pieces of patient information. MedStar discovered the intrusion on October 4 and began patient notifications by mail on December 3. Confirmed exposed data includes names, dates of birth, Social Security numbers, and potentially diagnoses, medications, test results, medical images, health insurance information,

Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Medical identity fraud or insurance abuse using health data

🔓 Threat Vectors

Phishing, credential stuffing & account takeover
Name-based social engineering
Medical extortion, insurance fraud & discrimination
SIM swapping, vishing & SMS phishing
Physical stalking, mail fraud & identity verification
Home targeting, stalking & physical threat
Full identity theft & synthetic identity fraud

📋 Breach Intelligence

EntityMedstar Health (MedStar Health)
OrganizationNonprofit Healthcare System • USA
Breach Date2025-10-04
DBC Added2025-10-21
Added Date2025-10-21
Records~4.6M (4,638,207 records)
Attack VectorRansomware
Threat ActorRhysida
Data SubjectsPatient
Breach PathwayDirect
SourceDataBreach.com / ObscureIQ
SensitivityRestricted
Breach ID873.0
StatusConfirmed

📝 Executive Summary

Rhysida, a ransomware group known for targeting healthcare organizations, breached MedStar Health's systems between September 12 and September 16, 2025, exfiltrating 3.7 terabytes of data. MedStar, a nonprofit health system serving patients across Maryland, Virginia, and Washington D.C., discovered the intrusion on October 4. Rhysida listed the stolen data for sale on its dark web site at 25 bitcoin and, when MedStar did not pay, published the files publicly. The breach is estimated to affect 4.6 million patients. The exposed data includes names, home addresses, phone numbers, email addresses, Social Security numbers, and medical diagnoses, along with potentially medications, test results, medical images, insurance information, and treatment records. The combination of Social Security numbers and medical diagnoses creates layered risk. Affected individuals face potential identity theft, fraudulent tax filings, medical identity fraud in which someone uses another person's insurance or benefits, and targeted scams that exploit knowledge of a person's health condition or care history. MedStar began notifying affected patients by mail on December 3, 2025, and is offering complimentary credit monitoring and identity theft protection. The organization engaged third-party cybersecurity experts and notified the FBI. A consolidated federal class-action lawsuit was filed in December 2025, alleging negligence and seeking financial damages and court-ordered security improvements. Individuals who received a breach notice should enroll in the offered monitoring services promptly and remain alert to unsolicited contact referencing their medical care, insurance, or personal finances.

🏢 About Medstar Health

MedStar Health is a nonprofit health system operating 10 hospitals and more than 300 care sites across Maryland, Virginia, and Washington D.C. Its network includes MedStar Georgetown University Hospital, MedStar Washington Hospital Center, and several other major facilities across the Baltimore-Washington metropolitan corridor. MedStar is one of the largest healthcare employers in the Mid-Atlantic region.

Healthcare provider | Hospital and healthcare services | Integrated health system | USA
Nonprofit Healthcare SystemUSAmedstarhealth.org

🗂 Why They Hold Your Data

Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and administrative operations.

📰 Recent Developments

MedStar has been managing sequential cybersecurity incidents. A prior breach involving compromised employee email accounts led to a $1.35 million class-action settlement finalized in 2024. The 2025 Rhysida ransomware attack occurred against that backdrop. This is also not MedStar's first ransomware encounter — a March 2016 attack forced the system to shut down multiple systems for approximately a week. The pattern of repeated incidents has sustained regulatory and litigation attention on the organization's security posture.

🔍 Data Points Exposed

6 verified field types:
Social Security Number
Email
Phone Number
Name
Home Address
Medical Diagnosis

Exposure Categories

CredentialsSSN
LocationPHYS ADDR
MedicalDIAGNOSIS

Canonical Fields

email_address, full_name, medical_diagnosis, phone_number, physical_address:home, ssn

🌐 Dark Web Verification

Confirmed
  • Dataset containing ~4.6M records identified in breach intelligence sources
  • Data indexed and searchable across breach notification platforms
  • Source: medstar-health-2025

🛡 Recommended Actions

⚠️ Do not assume this is low sensitivity.

1Freeze Your Credit
Place a credit freeze with Equifax, Experian, and TransUnion.
2Expect Targeted Phishing
Watch for emails referencing this breach. Verify through official channels.
3Enable MFA Everywhere
Enable multi-factor authentication on all accounts.
4Monitor Accounts
Watch for unauthorized activity on financial and personal accounts.
5Check Your Exposure
ObscureIQ clients: this breach is indexed in your profile.

Protect Yourself

Check If You’re Affected

Enter your email to check if your data appears in this breach.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed.

High-Risk? Get an Exposure Audit

Full-spectrum exposure audits for executives and public figures.

Request Consultation

ObscureIQ Advisory

We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.

If you are:
  • A public-facing individual
  • A high-profile executive
  • A customer of Medstar Health
  • Or concerned about credential reuse
Services
AuditsWipesThreat MonitoringTraining
Contact
Phone(855) 763-7273Emailinfo@obscureiq.com

Classification Tags

RansomwareMedicalEmailPhoneAddress

Powered by the ObscureIQ Breach Intelligence Database

© 2026 ObscureIQ · All Rights Reserved · Data Licensing

Latest from ObscureIQ

Credit

What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)

July 14, 2025
Every time there’s a major data breach, companies scramble to offer “free” credit monitoring. It sounds like a responsible move.…
breach economycredit freezecredit scoreequifaxexperian
Credible Threats

Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.

September 2, 2025
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars. Over 80% of security incidents now start in the browser. Chrome.…
brave browserbreachesbrowser exploitbrowserschrome
Analysis

Sextortion Spam

May 10, 2025
Sextortion scams aren’t new, but they remain one of the most effective forms of cyber-enabled fraud. These scams don’t rely…
bitcoindeadlinefeargoogle maps apiransom