Columbia Medical Practice Data Breach Exposes Social Security Numbers and Medical Records

Healthcare data breach illustration
Breach Discovery: 5th November 2025Breach Notification: 24th April 2026

What Happened in the Columbia Medical Practice Data Breach?

Columbia Medical Practice recently confirmed a serious data breach affecting patients whose information was stored on its computer network. According to the practice’s official notice, a cybercriminal accessed a portion of its systems and installed ransomware, locking files across affected devices. The Columbia Medical Practice data breach has since been linked to a known ransomware group operating on the dark web.

The unauthorized access occurred on or about Nov. 5, 2025. Investigators later identified the attacker as the Qilin ransomware group. Before the practice could recover its systems, the attackers copied files from the network. As a result, the incident involved both encryption of data and theft of sensitive records, which is a more severe combination than a simple ransomware lockout.

The breach became publicly evident when Qilin claimed responsibility and posted about the incident on the dark web on Nov. 24, 2025. This claim confirmed that stolen files were in the attacker’s possession. Following discovery, Columbia Medical Practice launched a forensic investigation to determine exactly which files and individuals were affected.

Because forensic reviews of stolen healthcare data can be complex, the practice has continued examining the compromised files. This process helps identify precisely whose personal and medical information was included in the stolen data. The practice reported the breach to federal regulators and, later, to state attorneys general as part of its legal obligations.

Who was affected?

The Columbia Medical Practice data breach affects patients whose personal and medical information was stored within the practice’s network. Since the organization is a medical provider, those impacted are primarily patients who received care or services through the practice.

The exact number of affected individuals has not been publicly disclosed. However, the breach was significant enough to require notification to the U.S. Department of Health and Human Services, as well as the attorneys general of Maine and Massachusetts. This suggests the impact reaches beyond a single state and may involve patients across multiple regions.

Because medical practices often serve patients of all ages, it’s possible that minors’ information was included among the exposed records. In addition, because health insurance and treatment details were involved, both current and former patients could be affected. Anyone who received care from Columbia Medical Practice should consider themselves potentially impacted until they receive official confirmation.

What Information Was Potentially Exposed?

The data compromised in this breach is extensive and touches nearly every category of sensitive personal information. Both identity-related details and health-related records were taken during the attack, which increases the risk to affected individuals.

  • Names, addresses and phone numbers
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Passport numbers and other government identifiers
  • Location of health services received
  • Dates of service
  • Treatment or condition information
  • Diagnosis and diagnosis codes
  • Prescription details
  • Medical history
  • Assigned physician information
  • Health insurance subscriber or identification numbers
  • Patient account numbers
  • Financial account numbers (without security codes, access codes or passwords)

Given the presence of Social Security numbers, driver’s license numbers and passport numbers, affected individuals face a heightened risk of identity theft. Criminals can use this combination of identifiers to open new credit accounts, file fraudulent tax returns or apply for loans in someone else’s name. Because this data rarely changes, the risk can persist for years after the breach.

In addition, the exposure of protected health information creates the possibility of medical identity theft. For example, stolen health insurance identification numbers could allow someone to receive medical treatment under a victim’s identity. This type of fraud can be especially damaging because it may lead to incorrect information appearing in a person’s medical records.

What is the company doing?

In response to the breach, Columbia Medical Practice has been reviewing the compromised files to determine exactly which individuals were affected. This review process is a necessary step before the practice can send direct, individualized notifications to patients.

The practice has also published a detailed notice of the cybersecurity event on its website. This notice outlines steps individuals can take to protect their personal information, including guidance on monitoring credit reports and placing fraud alerts or security freezes. Furthermore, Columbia Medical Practice has established a toll-free assistance line, staffed Monday through Friday from 8 a.m. to 8 p.m. Eastern time, so affected individuals can ask questions and receive support.

Once the internal review concludes, the practice has committed to mailing direct notification letters to those confirmed as impacted. In the meantime, affected individuals can rely on the published notice and helpline for guidance on protecting themselves.

What Should Affected Individuals Do?

Monitor Your Credit Reports Closely

Anyone potentially affected by the Columbia Medical Practice data breach should begin monitoring their credit reports right away. Because Social Security numbers and driver’s license numbers were exposed, criminals could attempt to open new accounts using stolen identities.

You can request free credit reports from each of the three major credit bureaus. Reviewing these reports regularly helps you spot unfamiliar accounts or inquiries quickly. If you notice anything suspicious, report it to the credit bureau immediately and consider disputing any fraudulent entries.

Consider a Fraud Alert or Credit Freeze

Because this breach involved Social Security numbers and financial account information, placing a fraud alert or credit freeze is a strong protective step. A fraud alert requires creditors to verify your identity before opening new accounts in your name. A credit freeze goes further by restricting access to your credit file entirely.

To set up either protection, contact one of the three major credit bureaus directly. That bureau is required to notify the other two. This step is especially important given the sensitive combination of identifiers exposed, including driver’s license and passport numbers.

Watch for Medical Identity Theft

Since protected health information was compromised, affected individuals should also watch for signs of medical identity theft. This can include unfamiliar charges on health insurance statements or unexpected bills for services you never received.

If you notice anything unusual, contact your health insurance provider right away to report the issue. You should also request a copy of your medical records periodically to check for inaccuracies. Catching medical identity theft early can prevent long-term complications with your health records and insurance coverage.

Stay Alert for Phishing Attempts

Following any data breach, scammers often use stolen information to craft convincing phishing emails, texts or phone calls. Because this breach included detailed personal and health information, phishing attempts could appear especially legitimate.

As a result, you should avoid clicking links or providing personal details in response to unsolicited messages. Instead, verify the sender by contacting the organization directly through official channels. Remaining cautious with unexpected communications can help you avoid falling victim to follow-up scams tied to this breach.

Consult a Data Breach Attorney

Given the scope and sensitivity of the information exposed, affected individuals may want to consult a data breach attorney. An attorney can help you understand whether you qualify for compensation related to this incident.

Many law firms offer free case evaluations for individuals impacted by healthcare data breaches like this one. Because deadlines for legal claims can vary, speaking with an attorney sooner rather than later is generally advisable. This step can help ensure you understand your rights and any options available to you.



More Information

Official data breach notification from Washington State Attorney General

Official data breach notification from Iowa Attorney General

Official Notice from Cmpractice

Official Notice from Cmpractice

HHS Office for Civil Rights Breach Notification Portal

Official Notice from Maine

Official Notice from Mass

Related Data Breaches