MedStar Health generated $6.3 billion in annual revenue ($6.3 billion is roughly what the entire federal government spends vaccinating Americans for a year) while storing the unencrypted, unredacted private health records of 183,079 patients on email servers that an outside hacker accessed and raided for nine consecutive months without detection.

Nine Months. Three Email Accounts. 183,000 Victims. Zero Encryption.

MedStar Health operates more than ten hospitals and over 300 care locations across Maryland, Virginia, and Washington, D.C., employing more than 32,000 people. Patients trusted the organization with their most sensitive health information as a condition of receiving medical care. They had no meaningful choice in the matter.

According to the class action complaint filed May 7, 2024, an outside party gained unauthorized access to the email accounts of three MedStar employees between January 25, 2023 and October 18, 2023. The company’s own forensic analysis, completed March 6, 2024, confirmed that patient information was included in the accessed files. MedStar did not announce the breach publicly until May 3, 2024, over a year after the intrusion began.

The data exposed included patient names, mailing addresses, dates of birth, dates of service, provider names, and health insurance information. None of it was encrypted. None of it had been deleted when no longer needed. The complaint states plainly that MedStar “failed to even encrypt or redact this highly sensitive information.”

What They Stole From You Cannot Be Replaced

Your Medical History Is Not a Password You Can Reset

When a retailer gets hacked and your credit card number is stolen, you call the bank, cancel the card, and get a new one. The problem ends. What MedStar allegedly lost is fundamentally different. Your name, your date of birth, your health insurance numbers, your provider names, your dates of service: these are facts about your life that cannot be cancelled, changed, or reissued. Victims of this breach carry the target on their backs for the rest of their lives.

The complaint describes a chilling consequence of stolen health insurance data: a thief can use your insurance information to see a doctor, obtain prescription drugs, file fraudulent insurance claims, or receive other medical care in your name. When that happens, the thief’s medical records contaminate yours. The wrong blood type, the wrong medications, the wrong diagnoses can appear in a file that future doctors rely on to treat you. The lawsuit frames this plainly: “your treatment, insurance and payment records, and credit report may be affected.” This is a patient safety issue disguised as a data security case.

The Anxiety Is Real and It Is Justified

Lead plaintiff Gwendolyn Riddick, a Washington, D.C. resident, describes her post-breach reality in the complaint with stark plainness. She has spent and continues to spend “a considerable amount of time” monitoring accounts and credit scores. She has suffered “emotional distress.” The time spent doing this is time taken directly away from her work and her life. She lives with “anxiety and increased concerns for the loss of her privacy.” The lawsuit describes this not as an inconvenience but as a genuine and ongoing injury.

This is the hidden cost that never appears on a corporate balance sheet. The $200-per-year ($200 is a week of groceries for a family of four) credit monitoring service that breach victims now need to purchase, the hours spent calling credit bureaus and placing fraud alerts, the years spent checking health insurance statements for fraudulent charges, the mental load of knowing that somewhere out there, someone has your most private information and may be selling it or using it right now. For 183,079 people, this became their reality because a billion-dollar healthcare organization did not encrypt its email files.

The Dark Web Does Not Forget

The complaint lays out the mechanics of how stolen health data gets weaponized, and the picture is methodical and patient. Cybercriminals do not always rush to use stolen data. The U.S. Government Accountability Office found that stolen data can be held for a year or more before criminals deploy it for identity theft, and that “once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” The complaint notes that “the fraudulent activity resulting from the Data Breach may not come to light for years.” MedStar’s 183,079 patients may not know they are victims of identity theft until they apply for a mortgage, a job, or health insurance and find a trail of fraud already waiting for them.

The mechanism behind this prolonged threat is the “Fullz” package, a complete dossier assembled by criminals who cross-reference stolen data with unregulated data available elsewhere online. A Fullz package, containing a victim’s name, address, date of birth, insurance details, and other identifiers, commands up to $100 or more per record on the dark web. Even if a victim’s credit card number was not in the breach, criminals can still build out a complete identity profile using what MedStar left exposed. The longer this data circulates underground, the more complete these profiles become, and the more damage they can do.

A Company That Profits from Your Trust, Then Sells That Trust Short

The complaint describes the relationship between a patient and a healthcare provider as one built on an implicit promise: you give us your most private information because you have to, and we will protect it as if it were our own. MedStar collected this information as a mandatory condition of providing care. Patients could not opt out. They could not negotiate. They could not choose a different level of data protection. They trusted the system, and the system allegedly failed them in the most basic way possible by not even encrypting the files sitting in employee email inboxes.

Straight From the Filing: The Quotes That Should Haunt MedStar’s Board

“Defendant failed to adequately protect Plaintiff’s and Class Members’ Private Information and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect its patients’ sensitive data.” Class Action Complaint, Paragraph 6

“Defendant disregarded the rights of Plaintiff and Class Members by intentionally, willfully, recklessly, or negligently failing to implement and maintain adequate and reasonable measures to ensure that the Private Information of Plaintiff and Class Members was safeguarded, failing to take available steps to prevent an unauthorized disclosure of data, and failing to follow applicable, required, and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.” Class Action Complaint, Paragraph 8

“Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ Private Information. Instead of providing a reasonable level of security that would have prevented the Data Breach, Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.” Class Action Complaint, Paragraph 181

“While we have no reason to believe that your information was actually acquired or viewed, we cannot rule out such access.” MedStar Health’s own Notice of Data Incident, quoted in Complaint Paragraph 27

“[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.” U.S. Government Accountability Office Report, cited in Complaint Paragraph 51

What Your Data Is Worth to Criminals: Dark Web Price Points

This Breach Did Not Happen in a Vacuum

Public Health: When Your Medical File Becomes a Weapon

The complaint identifies a public health dimension to this breach that goes far beyond financial fraud. When a criminal uses stolen health insurance information to receive medical care, the records generated under your name and insurance number can merge with your actual medical history. Incorrect medications, undisclosed allergies, false diagnoses, and erroneous treatment histories can contaminate a medical file permanently. Future healthcare providers making emergency or routine decisions may rely on corrupted data without knowing it.

The complaint cites the specific risk directly: “A thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.” For elderly patients, patients managing chronic conditions, or anyone requiring ongoing medical care, an adulterated medical file is a genuine physical danger. MedStar serves the Baltimore-Washington metropolitan area, one of the most densely populated healthcare corridors in the country.

Prescription drug fraud through stolen health insurance credentials is a particularly serious risk. A thief who obtains prescription drugs using a victim’s insurance information can cause that victim’s insurance records to show prescriptions for medications the victim never took. If a pharmacist or doctor later checks for dangerous drug interactions, that false history could interfere with safe prescribing decisions. The 183,079 affected patients now live with this risk indefinitely.

Economic Inequality: The People Who Pay the Price Are Never the Ones Who Chose the Risk

MedStar operates as a not-for-profit, but the lawsuit makes clear it generated $6.3 billion in annual revenue ($6.3 billion, for context, could cover five years of credit monitoring services for every single one of the 183,079 breach victims with billions left over). The lawsuit alleges the company deliberately chose cheaper, inadequate security measures to increase its profit margins. The people bearing the consequences of that choice are the patients, many of whom had no alternative but to use MedStar facilities in their communities.

The lawsuit estimates the cost of credit and identity theft monitoring at approximately $200 per year ($200 per year is what a working family might spend on school supplies) per victim for a minimum of five years. That is a total out-of-pocket burden of at least $1,000 per person ($1,000 is what many Americans spend on an entire month of rent), for a problem they did not create. Multiplied across 183,079 class members, that is approximately $183 million ($183 million could fully fund healthcare services for tens of thousands of uninsured Americans for a year) in forced personal expenditures that flow directly from MedStar’s alleged failure to encrypt a file.

The people most vulnerable in this breach are also the least equipped to fight back. Patients who relied on MedStar hospitals in lower-income communities throughout the Baltimore-Washington corridor may lack the resources to pay for monitoring services, navigate credit disputes, or take extended time off work to manage the fallout. The complaint acknowledges the time cost explicitly: victims spend hours contacting credit bureaus, reviewing insurance statements, changing passwords, and checking financial accounts. For hourly workers, that time has a direct economic value they cannot recover.