Two Ransomware Attacks Impact 1.1 Million Patients

Recent reports indicate that two distinctive ransomware attacks have hit a Maryland medical group and a California hospital, leading to data breaches that impact over 1.1 million patients. The cybercriminals involved have claimed responsibility for leaking up to 480 gigabytes of sensitive data in one of the reported incidents.

Frederick Health, based in Maryland, reported an incident to the U.S. Department of Health and Human Services on March 28, stating that a ransomware attack on January 27 affected 934,326 individuals. The attack involved unauthorized access to their IT systems and resulted in significant data exfiltration.

While no ransomware group has claimed responsibility for the Frederick Health attack on dark web forums, the situation is markedly different in the case of Dameron Hospital in California. This facility alerted the HHS’s Office for Civil Rights about its own hacking incident on April 2, which has affected approximately 211,000 individuals. The cybercriminal group RansomHouse has publicly acknowledged responsibility for the November 2023 attack, boasting of encrypting the hospital’s systems and stealing substantial data that has been partially disclosed online.

Details on the Frederick Health Incident

In its breach notification, Frederick Health disclosed that upon discovery of the ransomware attack, it swiftly implemented its incident response protocols, securing its systems and informing law enforcement. A forensic investigation, assisted by external experts, revealed that attackers accessed and copied files from a share server, compromising a variety of sensitive information, including patient names, social security numbers, and clinical details.

The medical group has kept its operations largely intact during the recovery phase, with updates indicating that all but one laboratory remained operational. The organization reported progress in restoring affected systems while not providing further details to Information Security Media Group regarding the attack.

Dameron Hospital’s Dilemma

Dameron Hospital’s breach notice reveals that the security incident was detected on November 5, 2023. Following its discovery, the hospital quickly contained the threat and launched an extensive investigation. By March 21, 2025, it had determined that unauthorized actors had likely accessed personal and protected health information of its patients during the attack.

Details regarding the compromise vary by individual, including names, social security numbers, and financial information. This delay in notification—approximately 15 months post-discovery—raises concerns over compliance with HIPAA regulations, which stipulate that breaches involving more than 500 individuals must be reported within 60 days.

Assessment of Incident Response Strategies

Experts emphasize the necessity for healthcare organizations to develop and rehearse robust incident response strategies prior to facing a severe cyber incident. A recent report indicated that while 98% of healthcare organizations claim to have comprehensive cyber crisis plans, 71% have encountered significant incidents disrupting essential functions, suggesting a gap between perceived and actual preparedness. This disconnect poses a significant risk, particularly as threat actors often exploit organizational weaknesses during off-peak times such as holidays or weekends.

Marty Momdjian from Semperis highlighted the critical need for cohesive communication across teams during crises, as this coordination is often compromised in real-world attack scenarios. The evolving threat landscape necessitates organizations to remain vigilant and proactive in enhancing their cybersecurity frameworks.