MedStar Health faces federal class action after ransomware data breach

Following a 2025 ransomware attack on MedStar Health, a consolidated federal class action lawsuit was filed on December 15, 2025, alleging negligence in protecting patient data.

What happened 

The lawsuit claims that the Rhysida group accessed and exfiltrated over 7 million pieces of patient information, including names, dates of birth, Social Security numbers, diagnoses, medications, test results, medical images, and insurance information. 

According to the complaint, Rhysida publicly posted the data on its dark web leak site, setting a seven-day countdown timer and offering the stolen data for 25 bitcoins, exposing plaintiffs and class members to ongoing threats of identity theft, fraud, and misuse of their private information. The lawsuit seeks financial damages for the harm caused and injunctive relief to ensure MedStar implements proper security measures to protect remaining patient data.

The background

In September 2025, MedStar Health, which operates 10 hospitals and 300 care sites across Maryland, Virginia, and Washington, D.C., experienced a ransomware attack by the Rhysida group. The attackers gained unauthorized access to MedStar’s systems from September 12 to September 16, exfiltrating 3.7 terabytes of data. 

The stolen files contained names, dates of birth, Social Security numbers, diagnoses, medications, test results, medical images, health insurance details, and other treatment information. MedStar first publicly acknowledged the incident on October 4, 2025, and began notifying affected patients by mail starting December 3, 2025

What was said 

According to the court documents, “Defendant’s wrongful actions and inaction directly and proximately caused the theft and dissemination into the public domain of Plaintiffs’ and Class Members’ Private Information, causing them to suffer, and continue to suffer, economic damages and other actual harm for which they are entitled to compensation.”

The bigger picture 

Organizations like Solara have faced breaches affecting tens of thousands of patient records, but MedStar’s breach dwarfs them, with over 7 million pieces of patient information stolen. MedStar runs 10 hospitals and 300 care sites across Maryland, Virginia, and Washington, D.C., so the fallout is massive, affecting patients, operations, and trust in the system. 

When you compare this to the 2019 phishing attack that exposed 114,000 patient records and led to a $9.76 million class action settlement plus a separate $3 million OCR settlement, it’s clear just how dangerous it has become for healthcare providers.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Why are email systems a common target for cyberattacks?

Email systems sit at the front door of an organization.

Why does exploiting trusted security tools make attacks more dangerous?

Security tools are designed to be trusted by users and systems. When attackers abuse that trust, malicious activity blends in with normal operations.

Who is responsible for keeping patient information private?

Healthcare providers, hospitals, insurers, and their business associates.