Major Healthcare Data Breach Affects Over 107,000 Maryland Residents

A significant healthcare data breach has impacted a Maryland-based health plan, exposing the personal health information (PHI) of 107,154 individuals. This cyberattack, reported on June 30, 2025, represents one of the larger healthcare breaches of the year and highlights the ongoing cybersecurity challenges facing the healthcare industry.

What Happened

According to the breach notification filed with the Department of Health and Human Services (HHS), an unnamed health plan in Maryland experienced a hacking/IT incident that compromised their network server infrastructure. The breach was classified as a network server incident, indicating that cybercriminals gained unauthorized access to the organization's computer systems where patient data was stored.

While specific details about the attack methodology remain limited, the classification as a "hacking/IT incident" suggests this was likely a cyberattack rather than an accidental disclosure or theft of physical devices. This type of breach typically involves sophisticated threat actors who exploit vulnerabilities in healthcare IT systems to gain access to valuable patient data.

The health plan reported the incident to HHS on June 30, 2025, in compliance with the HIPAA Breach Notification Rule under 45 CFR § 164.408, which requires covered entities to report breaches affecting 500 or more individuals within 60 days of discovery.

Who Is Affected

This breach impacts 107,154 individuals who were members or beneficiaries of the affected Maryland health plan. The large number of affected individuals places this incident among the more significant healthcare breaches reported in 2025.

Patients affected by this breach may include:

• Current health plan members
• Former members whose data was retained
• Dependents covered under family plans
• Individuals who received services through the health plan's network

Breach Details

Key Facts:

• Entity Type: Health Plan
• Location: Maryland
• Individuals Affected: 107,154
• Breach Classification: Hacking/IT Incident
• Compromised System: Network Server
• Report Date: June 30, 2025
• Business Associate Involvement: None reported

The breach occurred on the health plan's network server, which typically stores vast amounts of sensitive patient information including medical records, insurance details, and personal identifiers. Network server breaches are particularly concerning because they often provide attackers with access to comprehensive databases containing years of patient information.

Notably, no business associate was involved in this incident, indicating the breach occurred within the health plan's own IT infrastructure rather than through a third-party vendor.

What This Means for Patients

For the 107,154 affected individuals, this breach potentially exposes a wide range of protected health information (PHI) as defined under HIPAA regulations (45 CFR § 160.103). While the specific types of compromised data haven't been detailed, health plan breaches typically involve:

• Personal identifiers (names, addresses, phone numbers)
• Financial information (Social Security numbers, bank account details)
• Insurance information (member ID numbers, policy details)
• Medical information (diagnoses, treatment history, prescription data)
• Demographic data (birth dates, employment information)

This combination of data makes affected individuals particularly vulnerable to:

• Identity theft
• Medical identity fraud
• Financial fraud
• Insurance fraud
• Targeted phishing attacks

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

Monitor Your Accounts

• Review all medical and insurance statements for unauthorized services
• Check credit reports from all three major bureaus (Experian, Equifax, TransUnion)
• Monitor bank and credit card statements for suspicious transactions
• Watch for unexpected medical bills or insurance claims

Secure Your Identity

• Consider placing a fraud alert on your credit reports
• Freeze your credit if you suspect misuse
• Update passwords for healthcare portals and insurance accounts
• Enable two-factor authentication where available

Stay Vigilant

• Be wary of phishing emails claiming to be from healthcare providers
• Verify any suspicious communications by calling providers directly
• Report any signs of identity theft to local authorities and the FTC
• Keep detailed records of all breach-related communications

Know Your Rights

Under the HIPAA Breach Notification Rule (45 CFR § 164.404), affected individuals have the right to:

• Receive timely notification of the breach
• Understand what information was compromised
• Learn about steps being taken to address the breach
• Receive information about protective measures they can take

Prevention Lessons for Healthcare Providers

This incident underscores critical cybersecurity challenges facing healthcare organizations. According to HIPAA Security Rule requirements (45 CFR § 164.308), covered entities must implement comprehensive safeguards:

Technical Safeguards

• Access controls to limit system access to authorized users
• Audit controls to monitor and record system activity
• Integrity controls to protect PHI from unauthorized alteration
• Person or entity authentication to verify user identities
• Transmission security to protect PHI during electronic transmission

Administrative Safeguards

• Security management processes with designated security officers
• Workforce training on cybersecurity best practices
• Information access management with role-based permissions
• Security awareness programs to identify and respond to threats
• Contingency planning for security incidents

Physical Safeguards

• Facility access controls to limit physical access to systems
• Workstation use restrictions to prevent unauthorized access
• Device and media controls for hardware containing PHI

Best Practices

• Regular security risk assessments as required by 45 CFR § 164.308(a)(1)
• Network segmentation to limit breach impact
• Multi-factor authentication for all system access
• Regular software updates and patch management
• Employee cybersecurity training and awareness programs
• Incident response planning with clear procedures and responsibilities

Healthcare organizations must recognize that cybersecurity is not just an IT issue but a fundamental patient safety and regulatory compliance requirement. The HIPAA Security Rule mandates that covered entities conduct regular risk assessments and implement appropriate safeguards based on their specific environment and risks.

Moving Forward

This Maryland health plan breach serves as another reminder of the persistent cybersecurity threats facing healthcare organizations. With healthcare data breaches affecting millions of Americans annually, both providers and patients must remain vigilant.

For healthcare organizations, investing in robust cybersecurity infrastructure and comprehensive HIPAA compliance programs is essential for protecting patient data and avoiding costly breaches. For patients, staying informed about data protection practices and monitoring personal information regularly can help minimize the impact of inevitable security incidents.

As this investigation continues, affected individuals should watch for official notifications from the health plan and take proactive steps to protect their personal information. The healthcare industry must continue evolving its cybersecurity practices to stay ahead of increasingly sophisticated threat actors.

Learn how HIPAA Agent can help protect your practice.