Rheumatology Associates of Baltimore Data Breach Impacts 28,968 Patients

Rheumatology Associates of Baltimore (RAB), a healthcare provider that has served the Maryland community for many years, recently disclosed a significant data breach affecting 28,968 individuals. The incident, reported to the Department of Health and Human Services on April 21, 2025, involved unauthorized access to sensitive patient information through a third-party vendor compromise.

What Happened

On April 11, 2025, Rheumatology Associates of Baltimore was notified by its third-party software vendor, Endue Software (Endue), that Endue had experienced a cybersecurity incident. The breach was classified as a hacking/IT incident that occurred on Endue's network server, which contained sensitive patient data from RAB.

The incident represents a growing trend in healthcare cybersecurity where medical practices are compromised through their technology vendors and business associates. This type of supply chain attack has become increasingly common as cybercriminals target the interconnected ecosystem of healthcare technology providers.

Rheumatology Associates of Baltimore took immediate action upon learning of the incident, working with Endue Software to understand the scope and impact of the breach. The practice reported the incident to the HHS Office for Civil Rights within the required timeframe, with the breach appearing on the HHS Wall of Shame on April 21, 2025.

Who Is Affected

The data breach impacted 28,968 individuals, including current and former patients of Rheumatology Associates of Baltimore. Given the practice's focus on rheumatology care, the affected individuals likely include patients seeking treatment for conditions such as:

• Rheumatoid arthritis
• Osteoarthritis
• Lupus
• Fibromyalgia
• Gout
• Other autoimmune and musculoskeletal disorders

With a commitment to patient care spanning many years of community service, this breach is particularly concerning for RAB's patient base, many of whom may have ongoing treatment relationships with the practice and extensive medical histories stored in their systems.

Breach Details

The breach occurred through Endue Software, a third-party vendor that provides software services to Rheumatology Associates of Baltimore. The incident was classified as a hacking/IT incident affecting the vendor's network server where RAB's patient data was stored or processed.

Key details about the breach include:

• Date of Discovery: April 11, 2025
• Date Reported to HHS: April 21, 2025
• Affected Individuals: 28,968
• Breach Location: Network server at vendor Endue Software
• Breach Type: Hacking/IT incident
• Data at Risk: Sensitive personal identifiable information and protected health information

The incident highlights the critical importance of vendor management and business associate agreements in healthcare data security. Under HIPAA regulations, covered entities like Rheumatology Associates of Baltimore remain responsible for protecting patient data even when it's processed by third-party vendors.

What This Means for Patients

For the 28,968 individuals affected by this breach, the exposure of sensitive personal identifiable information and protected health information creates several potential risks:

Identity Theft Risk: With personal information compromised, patients may face increased risk of identity theft, fraudulent account creation, and financial fraud.

Medical Identity Theft: Healthcare information can be used to obtain medical services fraudulently, potentially affecting patients' medical records and insurance coverage.

Privacy Concerns: The unauthorized access to medical information represents a significant privacy violation, particularly concerning for patients with sensitive health conditions.

Ongoing Monitoring Needs: Patients will need to remain vigilant about monitoring their accounts, credit reports, and explanation of benefits statements for signs of misuse.

The breach is particularly alarming given Rheumatology Associates of Baltimore's long-standing commitment to patient care and the trust patients have placed in the practice over many years of community service.

How to Protect Yourself

If you are a patient of Rheumatology Associates of Baltimore or believe you may be affected by this breach, consider taking these protective steps:

Monitor Your Accounts: Regularly review bank statements, credit card statements, and explanation of benefits from your insurance company for any unusual activity.

Check Your Credit Reports: Obtain free credit reports from all three major credit bureaus and review them for unauthorized accounts or inquiries.

Consider Credit Monitoring: Enroll in credit monitoring services that can alert you to new accounts or changes in your credit profile.

Watch for Phishing Attempts: Be cautious of emails, calls, or texts that request personal information, especially those claiming to be related to the breach.

Review Medical Records: Check your medical records and insurance statements for any services you didn't receive, which could indicate medical identity theft.

Stay Informed: Watch for official communications from Rheumatology Associates of Baltimore about the breach and any additional protective measures they may offer.

Prevention Lessons for Healthcare Providers

This incident offers several important lessons for healthcare providers about managing cybersecurity risks:

Vendor Risk Management: Healthcare providers must thoroughly vet their technology vendors and maintain strong oversight of how patient data is handled by business associates.

Business Associate Agreements: Ensure comprehensive business associate agreements are in place that clearly define security requirements and incident response procedures.

Regular Security Assessments: Conduct regular security assessments of both internal systems and vendor environments that handle patient data.

Incident Response Planning: Maintain robust incident response plans that include procedures for vendor-related breaches and clear communication protocols.

Staff Training: Provide ongoing cybersecurity training to help staff identify and respond to potential threats.

Network Monitoring: Implement comprehensive network monitoring to detect unauthorized access attempts and unusual data activity.

The healthcare industry continues to face evolving cybersecurity threats, making proactive security measures essential for protecting patient information and maintaining HIPAA compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.