2 Ransomware Hacks Affect 1.1 Million Patients

Two separate ransomware hacks of a Maryland medical group and a California hospital resulted in data thefts affecting more than 1.1 million patients, according to recent reports to regulators. Cybercriminals claim to have leaked 480 gigabytes of data from one of the attacks.

Frederick Health in a report filed on March 28 to the U.S. Department of Health and Human Services said 934,326 people were affected by its hacking incident early this year. The Maryland-based medical group said the breach involved a Jan. 27 ransomware incident affecting its IT systems and exfiltration of data.

See Also: Incident Ready: Strategies for Cryptography

As of Friday, no specific ransomware gang appeared to have claimed responsibility on the darkweb for the Frederick Health attack.

But the circumstances were a bit different in the hacking incident California-based Dameron Hospital reported to HHS’ Office for Civil Rights on April 2, which affected nearly 211,000 people.

Cybercriminal group RansomHouse on its darkweb site claimed responsibility for the November 2023 attack on Dameron Hospital. The gang boasted that it encrypted Dameron’s IT systems and stole 480 Gbytes of the hospital data, which was at least partially disclosed on the cybercriminals’ darkweb site.

Frederick Health Hack

Frederick Health in its breach notice said that upon discovering the Jan. 27 ransomware attack, the health group “immediately” initiated its incident response protocols, which involved taking steps to secure its systems and notifying law enforcement.

Frederick Health said its forensics investigation, with assistance from third-party experts, determined that attackers accessed and copied files from a file share server.

“The documents involved varied by individual but may have contained patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information and clinical information related to patients’ care, not contained in our electronic medical record,” Frederick Health said.

While the medical group was responding to the incident in early February, Frederick Health on its Facebook page posted updates that indicated that all its facilities were still open for patient care, except for one laboratory that was temporarily closed. Frederick Health’s CEO in a post on Feb. 6 reported that the entity was “making significant progress in restoring its systems and processes.”

Frederick Health did not immediately respond to Information Security Media Group’s request for additional details about the ransomware attack and breach.

Dameron Hospital Breach

Dameron Hospital in its breach notice said it discovered its security incident on Nov. 5, 2023.

“Upon learning of this issue, we contained the threat and immediately commenced a prompt and thorough investigation,” Dameron said.

“After an extensive forensic investigation and comprehensive document review, we discovered on March 21, 2025, that the files that may have been removed from the impacted systems by an unauthorized third-party actor between Nov. 4 and Nov. 5, 2023 may contain personal and/or protected health information.”

Information potentially compromised varies by individual, but may include name, dates of birth, Social Security number, driver’s license, state identification and other government identification numbers, credit and debit card information, medical information and health insurance information.

Dameron Hospital said it began notifying affected people on April 2. That’s about 15 months after the incident was discovered.

Under HIPAA, covered entities are required to report PHI breaches affecting 500 or more individuals to HHS OCR within 60 days of discovery, as well as notify individuals and the media within 60 days.

Also under HIPAA, ransomware incidents are nearly always considered reportable PHI breaches.

Dameron Hospital did not immediately respond to ISMG’s request for additional information about its ransomware incident, including an explanation of why it took so long to notify breach victims and details on RansomHouse’s claims of stealing and leaking the hospital’s data.

Incident Response Preparedness

Experts say it’s critical for healthcare organizations to have carefully planned incident response and crisis management strategies in place before a cyberattack such as ransomware or other potentially devastating event happens.

A report released on Friday by security firm Semperis, which examined cyber preparedness at 1,000 organizations in multiple sectors across the U.S., U.K., Europe and Asia-Pacific regions, found that 98% of healthcare respondents said they have comprehensive cybercrisis response plans.

But 71% of respondents said they still experienced at least one high-impact incident that stopped critical business functions in the past year. Also, 24% of healthcare respondent said they had multiple such incidents.

About 78% of healthcare sector organizations said they have integrated those cyber response plans into their enterprise crisis management plan, and only 70% said they update their playbooks and runbooks on a monthly or quarterly basis.

“Relating to crisis and incident response, there is a dangerous gap between an organization’s perceived readiness and real-world response capabilities,” said Marty Momdjian, a general manager and executive vice president at Semperis.

“There are many elements of an incident response and crisis management plan that are neglected, including cross-team gaps in communications and coordination that block an organization from responding swiftly and effectively from an attack,” he said. An overload of disparate out-of-band tools is also complicating incident response for many companies, he added.

“In moments of crisis, it’s not about rising to the occasion, but falling back on the strength of your preparation. And threat actors know when companies are at their weakest, such as holidays, weekends, corporate material events – and that’s when they strike.”