Medstar Health 2025 Data Breach
ObscureIQ Breach Intelligence
Low SeverityWebsite / service breach
MedStar Health System Ransomware Breach (2025): 4.6 Million Patient Records Including Medical Diagnoses & SSN Exposed
Nonprofit healthcare system operating hospitals and clinics in the Mid-Atlantic.
Verified by ObscureIQ Intelligence
0/100Breach Risk Index
63Data Value
40Market Recency
188dSince Breach
Breach Intelligence Summary
Entity: Medstar Health · Actor: Rhysida · Sources: 2 references
Attack: Ransomware
Profile: Healthcare provider · Hospital and healthcare services · Integrated health system · USA
Timeline: Breach (2025-10-04) · Indexed (Oct 21, 2025) · Year (2025)
Exposure: 4.6M records · 6 fields: Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number
Status: Reported
Executive Summary
Rhysida, a ransomware group known for targeting healthcare organizations, breached MedStar Health's systems between September 12 and September 16, 2025, exfiltrating 3.7 terabytes of data. MedStar, a nonprofit health system serving patients across Maryland, Virginia, and Washington D.C., discovered the intrusion on October 4. Rhysida listed the stolen data for sale on its dark web site at 25 bitcoin and, when MedStar did not pay, published the files publicly. The breach is estimated to affect 4.6 million patients. The exposed data includes names, home addresses, phone numbers, email addresses, Social Security numbers, and medical diagnoses, along with potentially medications, test results, medical images, insurance information, and treatment records. The combination of Social Security numbers and medical diagnoses creates layered risk. Affected individuals face potential identity theft, fraudulent tax filings, medical identity fraud in which someone uses another person's insurance or benefits, and targeted scams that exploit knowledge of a person's health condition or care history. MedStar began notifying affected patients by mail on December 3, 2025, and is offering complimentary credit monitoring and identity theft protection. The organization engaged third-party cybersecurity experts and notified the FBI. A consolidated federal class-action lawsuit was filed in December 2025, alleging negligence and seeking financial damages and court-ordered security improvements. Individuals who received a breach notice should enroll in the offered monitoring services promptly and remain alert to unsolicited contact referencing their medical care, insurance, or personal finances.
ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.
Breach Impact
Rhysida ransomware attackers gained unauthorized access to MedStar systems between September 12 and September 16, 2025, exfiltrating 3.7 terabytes of data claimed to include over 7 million pieces of patient information. MedStar discovered the intrusion on October 4 and began patient notifications by mail on December 3. Confirmed exposed data includes names, dates of birth, Social Security numbers, and potentially diagnoses, medications, test results, medical images, health insurance information, and treatment records. Rhysida listed the data for sale on its dark web site at 25 bitcoin, then published all files publicly when the ransom was not paid. MedStar engaged third-party cybersecurity experts, notified the FBI, and offered complimentary credit monitoring and identity theft protection. A consolidated federal class-action complaint was filed in December 2025 alleging negligence and seeking financial damages and enhanced security measures.
About Medstar Health
MedStar Health is a nonprofit health system operating 10 hospitals and more than 300 care sites across Maryland, Virginia, and Washington D.C. Its network includes MedStar Georgetown University Hospital, MedStar Washington Hospital Center, and several other major facilities across the Baltimore-Washington metropolitan corridor. MedStar is one of the largest healthcare employers in the Mid-Atlantic region.
Why They Hold Your Data
Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and administrative operations.
Recent Developments
MedStar has been managing sequential cybersecurity incidents. A prior breach involving compromised employee email accounts led to a $1.35 million class-action settlement finalized in 2024. The 2025 Rhysida ransomware attack occurred against that backdrop. This is also not MedStar's first ransomware encounter — a March 2016 attack forced the system to shut down multiple systems for approximately a week. The pattern of repeated incidents has sustained regulatory and litigation attention on the organization's security posture.
Data Points Exposed
6 verified field types
Email Address
Full Name High
Medical Diagnosis Critical
Phone Number
Physical Address High
Social Security Number Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Identity theft and synthetic identity construction using government-issued IDs
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Medical identity fraud or insurance abuse using health data
Threat vectors:
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Medical extortion, insurance fraud & discrimination
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
- Full identity theft & synthetic identity fraud
Threat Actor: Rhysida
Rhysida
Ransomware
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware.
Recommended Actions
If you believe your information may be included:
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Medstar Health breach?▾
Rhysida, a ransomware group known for targeting healthcare organizations, breached MedStar Health's systems between September 12 and September 16, 2025, exfiltrating 3.7 terabytes of data. MedStar, a nonprofit health system serving patients across Maryland, Virginia, and Washington D.C., discovered…
What data was exposed?▾
Verified fields include Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation