Nearly 184,000 MedStar Health patients’ personal data possibly breached

A major Washington, D.C.-area health network says the personal information of about 184,000 people was likely hacked when an outsider accessed emails and files belonging to three employees.

MedStar Health reported that it alerted 183,709 patients that their data was exposed. The company also filed a notice with the Department of Health and Human Services.

The unauthorized access to the employee email accounts and files “occurred intermittently” between January and October of last year, MedStar Health said. It did not explain the exact nature of the email access. 

The company said it undertook a forensic analysis of the incident in early March and confirmed patient information appeared in the breached files and emails. Officials said that while there is “no reason to believe that patient information was actually acquired or viewed, we cannot rule out such access.”

It said the emails and files included patients’ names, mailing address, dates of birth, dates of service, provider names and health insurance information. 

MedStar Health did not respond to a request for comment. Its facilities include Georgetown University Hospital, Washington Hospital Center and several hospitals in the Baltimore area.

The company encouraged patients whose information was compromised to carefully review statements and contact them if anything odd related to their healthcare services or charges appears. It also said it has put new safeguards in place to prevent future incidents.

The hack is just one in a string of recent healthcare breaches or ransomware incidents and comes as the industry is reeling from the February ransomware attack on Change Healthcare, which compromised the personal information of a “substantial proportion of people in America,” according to the company.

In February, a Chicago children’s hospital was the victim of a ransomware attack in which stolen data was put up for sale on the dark web for $3.4 million. The hack at Lurie Children’s Hospital led staff to rely on manual processes because its whole computer network had to be taken offline.

A Michigan provider, Cherry Health, revealed last month that a late 2023 ransomware attack compromised the personal information of almost 185,000 people.

In late March, Harvard Pilgrim Health Care said that more people than it had originally believed were impacted by a ransomware attack last year, revealing that 2.86 million individuals were affected, 12 percent more than it had first stated.