MedStar Regional Health, one of the largest healthcare networks in the mid-Atlantic region, has disclosed a data breach affecting approximately 2.3 million patient records. The breach was discovered on April 8 after security analysts detected unusual data exfiltration patterns from the organization's electronic health record system.
Compromised data includes patient names, dates of birth, Social Security numbers, medical record numbers, and in some cases treatment histories and insurance information. MedStar says the attack exploited a previously unknown vulnerability in a third-party file transfer application used to share data between facilities.
The organization has engaged CrowdStrike to lead the incident response investigation and is offering affected patients two years of complimentary credit monitoring and identity theft protection. This marks the second major healthcare breach in 2026 involving third-party software vulnerabilities, underscoring the sector's ongoing supply chain security challenges.
