HomeNewsBreachesAbout
Account

Search the Leak

Email
Phone Number

What happened in the Medstar Health Breach?

DataBreach.com Team · October 20th 2025, 8:00 pm EDT

On or about October 4, 2025, the ransomware group Rhysida added MedStar Health to its leak/auction site, signaling an extortion event. Third-party monitors recorded the listing the same day. At the time of writing, MedStar has not published a matching substitute notice specifically about this Rhysida claim, and technical details (encryption vs. exfiltration) have not been confirmed publicly.

This Rhysida claim is distinct from the March 2025 vendor incident involving Oracle Health (Cerner), where Oracle notified MedStar St. Mary’s that an unauthorized party accessed data on Oracle-controlled migration systems after Jan. 22, 2025-a separate fact pattern, timeline, and environment.

U.S. advisories describe Rhysida as a double-extortion actor that has repeatedly targeted healthcare since 2023. Treat early leak-site posts as criminal claims until a covered entity or regulator confirms scope.


What You Can Do After the MedStar/Rhysida Claim

If you received a breach notice referencing Rhysida-or have reason to believe your information is involved-attorneys want to hear from you. You may be able to pursue compensation for:

  • Time and out-of-pocket costs spent responding to the incident
  • Financial losses tied to misuse of your data
  • Loss of privacy and the increased risk of identity theft
  • Court-ordered security improvements and monitoring for impacted individuals

Impacted Data (What We Know vs. Don’t)

Known: A Rhysida listing naming MedStar Health appeared Oct. 4, 2025, captured by independent trackers and threat-intel blogs. MedStar has not yet posted a Rhysida-specific notice, so patient counts and data elements are not confirmed.

Unknown (pending provider disclosure): Whether the actors stole data, encrypted systems, or both; which facilities are implicated; and the precise categories of personal/medical data involved.

Note: MedStar’s March 2025 Oracle-Health vendor notice is separate and describes potential access to patient information held on Oracle’s systems-not MedStar’s own-after January 22, 2025. That earlier notice should not be treated as confirmation of the Rhysida claim. ([MedStar Health][2])


Practical Steps Right Now

  • Be skeptical of emails or texts about “MedStar account issues”-phishing often follows leak-site posts.
  • Consider a credit freeze and enable fraud alerts with the bureaus.
  • If you previously enrolled in monitoring from any earlier MedStar-related notice, use it while we await clarity.
  • Watch for a new HIPAA substitute notice from MedStar or filings on state AG portals; those will define scope and eligibility.

Get in Touch

If you received a notice regarding the MedStar/Rhysida incident, complete the form on this page to connect with us. An attorney or legal representative may reach out to explain the investigation and ask a few questions. There is no cost to get in touch, and you’re under no obligation to proceed.

For media inquiries, contact us at contact@databreach.com