Healthcare Ransomware Attacks Expose Patient Data at Major Providers
Richmond Behavioral Health Authority (RBHA) and MedStar Health, two major healthcare providers in the Mid-Atlantic region, have disclosed significant ransomware incidents resulting in the exposure of sensitive patient data. RBHA reported that hackers gained unauthorized access to its systems on September 29, 2025, deploying ransomware that encrypted files containing personal and protected health information for up to 113,232 individuals. Although RBHA stated there was no definitive evidence of patient data being accessed, the organization is notifying all potentially affected individuals and has implemented enhanced security measures, including third-party monitoring and stronger data policies.
MedStar Health, which operates hospitals and care sites across Maryland, Virginia, and Washington D.C., confirmed a separate ransomware attack attributed to the Rhysida group, which claims to have exfiltrated 3.7 terabytes of data, including over 7 million pieces of patient information. The breach, occurring between September 12 and 16, 2025, involved the compromise of names, dates of birth, Social Security numbers, and detailed patient care information. MedStar has begun notifying affected patients and is offering complimentary identity monitoring services to those whose most sensitive data was exposed. Both incidents highlight the ongoing threat of ransomware to healthcare organizations and the significant risks to patient privacy and data security.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
MedStar Health notifies patients and responds to breach
MedStar Health began notifying affected patients of the breach, secured its systems, engaged third-party investigators, notified law enforcement, and offered identity monitoring. The incident also prompted proposed federal class action litigation alleging negligence.
RBHA discloses breach and begins notifications
RBHA publicly disclosed the breach, said up to 113,232 individuals may be affected, and began notifying impacted people out of caution. The authority also said it engaged third-party cybersecurity experts and implemented additional security measures while the investigation continues.
Qilin claims RBHA attack and publishes stolen data
Qilin claimed responsibility for the RBHA incident, saying it exfiltrated 192 GB of data and published the files on its dark web leak site. The exposed material reportedly included sensitive patient information.
Rhysida offers MedStar Health data for sale
After the MedStar intrusion, the Rhysida ransomware group claimed responsibility and posted the stolen MedStar data for sale on its leak site. The group later made the data publicly accessible, escalating the impact of the breach.
RBHA discovers unauthorized access to its systems
Richmond Behavioral Health Authority said it discovered unauthorized access to its systems on September 30, 2025. The incident ultimately led to a breach disclosure affecting up to 113,232 individuals.
MedStar Health data theft occurs over four days
MedStar Health said unauthorized access and data theft took place between September 12 and 16, 2025, exposing sensitive patient and medical information. Rhysida later claimed it stole 3.7 TB of data, including more than 7 million pieces of patient information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
Mar 21, 2026
Multiple Healthcare Data Breaches Impacting U.S. Medical Providers
Several U.S. healthcare organizations have disclosed significant data breaches involving unauthorized access to patient and employee information. MedStar Health reported that an unauthorized third party accessed internal systems containing sensitive patient data, including names, dates of birth, Social Security numbers, and medical information. The Rhysida threat group claimed responsibility for this attack, alleging the exfiltration and leak of over 7 million pieces of patient data. Brevard Skin and Cancer Center also confirmed a cyberattack in which the Pear threat group claimed to have stolen 1.8 terabytes of data, affecting both patient and employee records with information such as Social Security numbers, health conditions, and billing details. Both organizations have offered complimentary credit monitoring and identity theft protection to affected individuals and are reviewing their cybersecurity measures. Henry Ford Health in Michigan disclosed an insider data breach affecting nearly 2,000 patients, resulting in the termination of the responsible employee and notification to those impacted. While details on the specific data accessed were not provided, credit monitoring services have been offered. These incidents highlight the ongoing risks faced by healthcare providers from both external threat actors and insider threats, emphasizing the need for robust security policies and continuous evaluation of protective measures to safeguard sensitive health information.
Mar 21, 2026
Recent Data Breaches at U.S. Healthcare Providers
Multiple U.S. healthcare organizations have recently disclosed data breaches resulting from unauthorized access to sensitive patient information. Expert MRI, a radiology provider in California, reported that an attacker accessed its network between June and August 2025, exfiltrating data such as names, addresses, dates of birth, diagnoses, and, for some, Social Security numbers. The PEAR threat group claimed responsibility and briefly listed stolen data on its leak site, suggesting a ransom may have been paid. Revere Health in Utah experienced a breach of a third-party payment platform, potentially exposing patient names, dates of birth, addresses, medical record numbers, and partial Social Security numbers, though no evidence of misuse was found. Health Management Systems of America in Michigan disclosed a breach after an employee fell victim to a spear phishing attack, resulting in the unauthorized download of emails containing patient data. These incidents highlight the ongoing risks faced by healthcare organizations from both targeted ransomware groups and opportunistic phishing attacks. In response, affected providers have reported the breaches to regulators, enhanced their cybersecurity measures, and offered credit monitoring to impacted individuals. The number of affected patients varies by incident, with Revere Health reporting up to 10,800 impacted and Expert MRI yet to disclose a total. The breaches underscore the importance of robust security practices and employee awareness training to mitigate the risk of data compromise in the healthcare sector.
Mar 21, 2026