Adventist HealthCare Data Breach: 1,300 Patients Affected in Maryland

Adventist HealthCare, a prominent healthcare provider in Maryland, has reported a significant data breach affecting approximately 1,300 individuals. The incident, reported to the Department of Health and Human Services on November 13, 2025, involved the loss of paper records and films, highlighting ongoing vulnerabilities in traditional healthcare data storage methods.

What Happened

According to the breach notification filed with the U.S. Department of Health and Human Services (HHS), Adventist HealthCare experienced a data loss incident involving physical documents and medical films. The breach was classified as a "loss" rather than unauthorized access or theft, though specific details about how the materials were lost have not been disclosed.

The incident involved a business associate, indicating that a third-party vendor or contractor was connected to the breach. Under HIPAA regulations, healthcare providers remain liable for breaches involving their business associates, as outlined in the HIPAA Omnibus Rule.

Law firm Cole & Van Note has announced they are investigating the incident, suggesting potential legal action may follow. This investigation indicates the breach may have more serious implications than initially apparent.

Who Is Affected

The breach impacted approximately 1,300 patients who received care from Adventist HealthCare. While the exact types of protected health information (PHI) compromised have not been detailed in available reports, typical paper records and medical films may contain:

• Patient names and contact information
• Medical record numbers
• Treatment histories and diagnoses
• Imaging results and radiology reports
• Insurance information
• Social Security numbers
• Other demographic data

Patients who have received services from Adventist HealthCare should monitor their accounts and be alert for any suspicious activity.

Breach Details

Key Facts:

• Entity: Adventist HealthCare
• Location: Maryland
• Individuals Affected: 1,300
• Breach Type: Loss of physical materials
• Materials Involved: Paper records and films
• Business Associate: Yes, third-party involvement confirmed
• Date Reported to HHS: November 13, 2025
• Legal Investigation: Cole & Van Note law firm investigating

The involvement of a business associate is particularly significant under HIPAA regulations. The HIPAA Omnibus Rule requires covered entities to have comprehensive business associate agreements (BAAs) in place and to ensure their partners maintain appropriate safeguards for PHI.

What This Means for Patients

This breach represents a violation of HIPAA's Security Rule, which requires covered entities to implement administrative, physical, and technical safeguards to protect PHI. The loss of physical records suggests potential failures in:

• Physical safeguards for protecting paper records
• Administrative safeguards for tracking and managing PHI
• Business associate oversight requirements

Patients affected by this breach face several risks:

1. Identity theft if personal identifiers were compromised
2. Medical identity theft using stolen health information
3. Insurance fraud using compromised insurance details
4. Privacy violations from unauthorized disclosure of medical information

While no additional details about the specific circumstances have been provided, the fact that a law firm is investigating suggests the breach may involve negligence or inadequate security measures.

How to Protect Yourself

If you are an Adventist HealthCare patient, take these immediate steps:

Monitor Your Accounts:

• Check credit reports from all three major bureaus
• Review bank and credit card statements regularly
• Monitor explanation of benefits (EOB) statements from insurers
• Watch for unexpected medical bills or insurance claims

Secure Your Information:

• Place fraud alerts on your credit reports
• Consider freezing your credit if you're not actively applying for new accounts
• Contact your insurance provider to report the breach
• Keep detailed records of all breach-related communications

Stay Informed:

• Watch for official notifications from Adventist HealthCare
• Monitor news about the investigation's findings
• Be alert for phishing attempts using the breach as a pretext

Report Suspicious Activity:

• Contact your financial institutions immediately if you notice unauthorized transactions
• Report identity theft to the FTC at IdentityTheft.gov
• File complaints with state and federal regulators if needed

Prevention Lessons for Healthcare Providers

This incident offers important lessons for healthcare organizations:

Physical Security Measures:

• Implement secure storage for all paper records and films
• Use locked filing cabinets and restricted access areas
• Maintain chain of custody documentation for physical PHI
• Conduct regular audits of physical security measures

Business Associate Management:

• Execute comprehensive business associate agreements (BAAs)
• Conduct due diligence before engaging third-party vendors
• Implement ongoing monitoring of business associate security practices
• Require breach notification procedures in all BAAs

HIPAA Compliance:

• Develop comprehensive risk assessments under the HIPAA Security Rule
• Implement appropriate administrative safeguards
• Train staff on proper PHI handling procedures
• Maintain incident response plans for various breach scenarios

Documentation and Tracking:

• Maintain detailed logs of PHI access and movement
• Implement check-out/check-in procedures for physical records
• Use barcode or RFID tracking for sensitive materials
• Conduct regular inventories of physical PHI

The HIPAA Security Rule at 45 CFR § 164.308 requires covered entities to conduct regular risk assessments and implement security measures commensurate with identified risks. This breach highlights the continued importance of physical security in an increasingly digital healthcare environment.

Healthcare organizations must remember that HIPAA compliance is not optional—it's a legal requirement that protects patients and helps maintain trust in the healthcare system. The potential legal action being investigated by Cole & Van Note serves as a reminder that breaches can result in significant financial and reputational consequences.

Learn how HIPAA Agent can help protect your practice.