By Jake Bice, Director, Threat Defense Services, Fortified Health Security
LinkedIn: Jacob Bice
LinkedIn: Fortified Health Security
Frederick Health Medical Group is one of the largest providers in Frederick County, Maryland, employing more than 4,000 staff members across 25 locations.
In early 2025, Frederick Health experienced a ransomware attack that affected more than 900,000 patient records and slowed operations for weeks. Frederick Health has permitted us to share this account of what actually occurred during the attack so that other healthcare organizations can learn valuable lessons.
As you’ll see in this breach recap, preparation doesn’t eliminate incidents, but it dramatically changes outcomes. Asset visibility, rehearsed response plans, clear authority and trusted partners all determine whether a breach becomes a prolonged crisis or a controlled disruption.
Breach Timeline
- January 27, 2025 – Frederick’s IT team detected unusual network activity, prompting an immediate emergency shutdown of critical systems to contain the threat.
- January 28 – Frederick activated downtime procedures, including paper-based record-keeping for patient care.
- February 6 – Cybersecurity experts confirmed that ransomware was the cause of the disruption. Law enforcement agencies, including the FBI, were notified to assist with the investigation.
- March 28 – Patients were notified of the breach and the incident was reported to HHS.
What follows is a stage-by-stage analysis of what unfolded during the attack from the perspective of our Red Team and Blue Team. The Red Team is the offensive group of “ethical hackers” who simulate real-world attacks and exploit vulnerabilities in an organization’s defense. The Blue Team is the defensive squad that protects systems by detecting and preventing these attacks in real-time.
Stage 1: Preparation
Before this attack occurred, what defenses or drills could have made the biggest difference?
Red Team – Many healthcare organizations still view preparation as a compliance checkbox instead of a readiness discipline. Penetration testing and tabletop exercises are the difference between guessing and knowing.
Blue Team – Readiness hinges on visibility. Preparation isn’t just about tools. It’s about understanding where you’re weak and closing the loop between security, IT and operations before an alert ever fires.
What Could Have Helped? – Continuous vulnerability testing, network segmentation, and rehearsed communication between clinical and IT staff could have slowed lateral movement and clarified decision-making in the first hours of the attack.
Stage 2: Detection & Containment
What would you look for to confirm “unusual activity”?
Red Team – There needs to be an emphasis on the importance of tuned logging and alerting well before an event. If your firewall keeps getting password-sprayed, that’s your warning shot. Move fast before the breach, not after.
Blue Team – Endpoints are where ransomware lives. If you’re still relying on antivirus instead of behavioral EDR, you’re already behind. Modern EDR gives you real-time telemetry, identity monitoring, and the ability to hunt across every device before encryption spreads.
You can’t stop the bleeding if you don’t know what organs you’re protecting. Asset inventories and segmentation plans determine whether you can act decisively or simply react.
What Could Have Helped? – Comprehensive asset mapping and layered detection tools can isolate infected systems quickly without halting patient-critical applications.
Stage 3: Eradication & Recovery
Once ransomware is confirmed, what’s Step One?
Red Team – The first step is assessing impact: which departments are down, where backups live, and who has authority to make the next call. Establish your command center, activate your incident response playbook, and get your partners on the phone. Every hour matters, but panic doesn’t help.
Blue Team – The most common recovery mistake is acting too fast: shutting everything down, re-imaging without preserving evidence, or trusting a backup that’s already infected. Recovery needs to be methodical, even under pressure.
What Could Have Helped? – A current, tested incident response plan stored in a mobile-accessible platform would have accelerated decision-making, preserved forensic evidence, and coordinated external responders more efficiently.
Stage 4: Notification & Lessons Learned
Why might patient notification take two months?
Red Team – The process involves legal and forensic steps most outsiders never see. Healthcare organizations can’t notify until they know which records were exposed. That means e-discovery, deduplication, and validation of every name and every file. In Frederick’s case, the two-month period from detection to notification was much shorter than what’s common in most ransomware events.
Blue Team – Healthcare organizations only get one chance to tell the community the truth. How and when you communicate that defines your recovery just as much as how fast your systems come back online.
What Could Have Helped? – Pre-approved notification templates and legal coordination workflows enable leaders to focus on patients, not paperwork.
The Frederick Health breach reinforces a hard truth: ransomware isn’t a technology problem alone; it’s also a readiness problem that demands collaboration across every layer of a healthcare organization, not just IT.
In our recent survey, more than one-third of healthcare organizations say that they’ve changed or enhanced their cybersecurity approach after learning from another organization’s breach. Peer experiences like the Frederick Health attack are no longer cautionary tales – they are readiness accelerators.