MedStar suffers data breach,183K patients exposed


The American healthcare service MedStar has suffered a breach, with attackers gaining access to the personal information of 183,000 patients.

MedStar, a major US healthcare provider, had its systems penetrated, and threat actors accessed personal patient data alongside health insurance information. Notification letters were mailed to relevant patients on May 3rd, 2023.

The information that may have been involved includes some or all of the following:

  • Names
  • Mailing addresses
  • Dates of birth
  • Dates of service
  • Providers names
  • Health insurance information

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

MedStar discovered that an unauthorized party had “accessed emails and files associated with three MedStar employee email accounts.”

The unauthorized access supposedly occurred intermittently between January and October of 2023.

The company ran an investigation, which finished in March 2024, and found that some personal patient information was “included in the emails and files that were accessed.”

However, MedStar states they have “no reason to believe that patient information was actually acquired or viewed.” The company also acknowledges that they “cannot rule out such access.”

MedStar apologizes for any concern or inconvenience this may have caused and urges its patients to “review statements they received related to their healthcare.”

“We take this matter very seriously,” the healthcare provider said.

MedStar supposedly employs “appropriate physical, technical, and administrative controls to ensure the safety and confidentiality of patients’ information.” The company has implemented further safeguarding practices and security measures to “prevent something like this from happening again.”

MedStar offers healthcare services in the US, specifically in Maryland, Virginia, and Washington DC, via its 10 hospitals and 300 other care locations.

The healthcare service employs almost 4,000 physicians and has a net operating revenue of $7.7 billion.