Maryland Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Maryland occupies a unique position in the American cybersecurity landscape. The state is home to the National Security Agency at Fort Meade, the U.S. Cyber Command, and an extraordinarily dense corridor of defense and intelligence contractors stretching from Columbia to Annapolis Junction. This concentration of classified networks, cleared personnel, and sensitive government data makes Maryland one of the highest-value targets for nation-state actors and sophisticated cybercriminal groups in the entire country.

Beyond the defense sector, Maryland's economy includes major healthcare institutions like Johns Hopkins Health System, a thriving biotech cluster, and state and local government agencies that manage sensitive citizen data. The incidents documented below reveal a pattern that should concern every Maryland organization: attackers are not just targeting the obvious federal facilities — they are going after the contractors, suppliers, hospitals, and municipalities that form the broader ecosystem. For a wider view of the risks, see our analysis of Maryland's cyber threat landscape.

Major Cyber Incidents in Maryland: A Timeline

2014 — Community Health Systems Breach (Maryland Facilities)

Community Health Systems, which operated hospitals across multiple states including Maryland, disclosed a breach affecting 4.5 million patient records. The attack was attributed to APT18, a Chinese state-sponsored group, which exploited vulnerabilities in Juniper VPN devices. Several Maryland facilities were among those affected, with stolen data including names, Social Security numbers, and dates of birth. The breach underscored the vulnerability of healthcare organizations to nation-state attackers targeting medical data.

2018 — Under Armour / MyFitnessPal Data Breach

Under Armour, headquartered in Baltimore, disclosed in March 2018 that its MyFitnessPal application had been breached, compromising approximately 150 million user accounts. Stolen data included usernames, email addresses, and hashed passwords. While the breach affected a consumer application rather than Under Armour's core business systems, it represented one of the largest data breaches tied to a Maryland-headquartered company and highlighted the risks of storing massive volumes of user credentials in a single database.

2019 — Baltimore City Ransomware Attack (RobbinHood)

In May 2019, the City of Baltimore was struck by the RobbinHood ransomware, which encrypted city servers and disrupted services for weeks. The attack shut down email for city employees, disabled online bill payment systems for water bills and property taxes, and halted real estate transactions across the city. Attackers demanded 13 Bitcoin (approximately $76,000 at the time), which the city refused to pay. The total cost of recovery and remediation exceeded $18 million. Investigators found that the city had failed to patch known vulnerabilities and lacked adequate backup systems, turning what could have been a manageable incident into a prolonged crisis.

2020 — Maryland Department of Health COVID Data System Breach

During the COVID-19 pandemic, the Maryland Department of Health experienced a cybersecurity incident that compromised systems used to track vaccination data and pandemic response metrics. The breach forced the department to take systems offline, temporarily disrupting the state's ability to report COVID-19 statistics and manage vaccination scheduling. The incident highlighted the risks of rapidly deployed public health IT systems that prioritized speed over security.

2023 — Johns Hopkins University and Health System MOVEit Breach

In May 2023, the Cl0p ransomware gang exploited a zero-day vulnerability in the MOVEit file transfer software to breach Johns Hopkins University and Johns Hopkins Health System. The attack compromised personal and financial information of employees, students, and patients, including names, Social Security numbers, dates of birth, and health insurance information. Johns Hopkins confirmed that approximately 310,000 individuals were affected. The institution offered credit monitoring services and implemented additional security controls around file transfer systems. The incident was part of a broader MOVEit campaign that affected hundreds of organizations worldwide.

2023 — Maryland Department of Health Ransomware Disruption

In late 2023, the Maryland Department of Health faced another significant cybersecurity disruption that affected its network infrastructure and public-facing services. The incident forced the department to activate its continuity of operations plan and work with state cybersecurity officials and federal partners to investigate and remediate the breach. The repeated targeting of Maryland's health department illustrated the persistent threat facing state agencies that manage sensitive public health data.

2024 — Defense Contractor Phishing Campaign (Columbia Corridor)

In early 2024, multiple defense contractors along the Columbia, Maryland corridor reported a coordinated spear-phishing campaign targeting employees with security clearances. The campaign used highly convincing emails impersonating the Defense Counterintelligence and Security Agency (DCSA) and directed recipients to credential-harvesting sites. While specific company names were not publicly disclosed due to national security concerns, the campaign affected firms working on classified programs and prompted alerts from both the FBI Baltimore Field Office and CISA.

Maryland's Data Breach Notification Law

Maryland's data breach notification requirements are codified in the Maryland Personal Information Protection Act (PIPA), found in Maryland Commercial Law Section 14-3501 through 14-3508. The law requires businesses that own or license personal information of Maryland residents to conduct a reasonable investigation following a breach and to notify affected individuals. Under amendments that took effect in October 2024 (SB 169), the notification window was tightened to 45 days from discovery of the breach.

Personal information under PIPA includes names combined with Social Security numbers, driver's license numbers, financial account numbers, health information, and biometric data. If a breach affects more than 1,000 Maryland residents, businesses must also notify the Attorney General's office. The Attorney General has enforcement authority and can impose penalties for noncompliance. For a comprehensive guide to Maryland's regulatory framework, see our Maryland cybersecurity compliance guide.

Which Maryland Industries Are Most Targeted?

Defense and Intelligence Contractors

Maryland is home to the largest concentration of defense and intelligence contractors in the United States, largely due to the proximity of Fort Meade, the NSA, and U.S. Cyber Command. Companies along the Columbia corridor and in the Annapolis Junction area handle classified information and develop sensitive technologies. Nation-state actors from China, Russia, Iran, and North Korea continuously target these firms through spear-phishing, supply chain compromise, and insider recruitment. Organizations in this sector should evaluate whether managed IT security services can strengthen their defensive posture beyond minimum CMMC requirements.

Healthcare

Johns Hopkins Health System, MedStar Health, and the University of Maryland Medical System collectively serve millions of patients and employ tens of thousands of workers across the state. Healthcare data is among the most valuable on dark web markets, and Maryland's healthcare institutions have been repeatedly targeted. Implementing robust security programs is critical for any healthcare IT environment in the state.

Government and Education

State agencies, county governments, and public universities manage vast amounts of citizen data and often operate with constrained IT budgets. The Baltimore City ransomware attack and the Maryland Department of Health incidents demonstrate that government entities face the same sophisticated threats as private sector organizations but may lack the resources to defend against them effectively.

What Maryland Businesses Must Do After a Breach

When a Maryland business discovers a data breach, it must take several immediate steps to comply with state law and minimize damage. First, conduct a thorough investigation to determine the scope of the compromise, including which systems were affected and what data was exposed. Second, notify affected Maryland residents within 45 days of discovering the breach. Third, if the breach affects more than 1,000 residents, file a notice with the Maryland Attorney General. Fourth, offer appropriate remediation such as credit monitoring when Social Security numbers or financial data were compromised.

Beyond legal requirements, businesses should engage qualified incident response professionals to contain the threat, preserve forensic evidence, and ensure that attackers have been fully evicted from the environment. Understanding what managed IT services provide can help organizations plan for incident response capabilities before a breach occurs.

How to Protect Your Maryland Business Before an Incident

Maryland's threat environment demands a proactive security approach. Defense contractors must meet CMMC 2.0 requirements, but compliance is a floor — not a ceiling. Healthcare organizations must address HIPAA requirements while also defending against increasingly sophisticated ransomware attacks. Even small businesses in Maryland face elevated risk simply because of the state's proximity to high-value government targets, which creates spillover targeting of the broader business community.

• Implement zero trust architecture: Assume that any user or device may be compromised and verify every access request, especially in environments handling classified or sensitive data.

• Deploy endpoint detection and response (EDR): Traditional antivirus is insufficient against the advanced threats targeting Maryland organizations. EDR provides continuous monitoring and automated response capabilities.

• Conduct regular penetration testing: Annual penetration tests help identify vulnerabilities before attackers do, particularly in complex environments that include both IT and OT systems.

• Maintain encrypted, offline backups: The Baltimore City ransomware attack demonstrated that inadequate backups can turn a containable incident into a multimillion-dollar recovery effort.

• Train employees on spear-phishing: Maryland organizations face highly targeted phishing campaigns. Generic awareness training is not enough — employees need realistic simulations tailored to the threats specific to their industry.

Frequently Asked Questions

How many data breaches occur in Maryland each year?

The Maryland Attorney General's office receives hundreds of breach notification filings annually. The exact number fluctuates year to year, but Maryland consistently ranks among the top states for reported breaches due to its concentration of defense contractors, healthcare institutions, and federal agencies that handle large volumes of sensitive data.

Is Maryland a high-risk state for cyberattacks?

Yes. Maryland's proximity to federal intelligence and defense facilities, its dense healthcare sector, and the volume of classified data processed within the state make it one of the highest-risk states for cyberattacks in the country. Nation-state actors specifically target Maryland-based organizations more frequently than those in most other states.

What is the notification deadline for data breaches in Maryland?

Under the amended Maryland Personal Information Protection Act (PIPA), businesses must notify affected individuals within 45 days of discovering a breach. If more than 1,000 Maryland residents are affected, the business must also notify the Maryland Attorney General.

Does Maryland have a comprehensive data privacy law?

Maryland passed the Maryland Online Data Privacy Act (MODPA) in 2024, which establishes comprehensive consumer data privacy rights including the right to access, correct, and delete personal data. The law takes effect on October 1, 2025, and applies to businesses that process the personal data of at least 35,000 Maryland consumers or derive more than 20% of gross revenue from selling personal data of at least 10,000 consumers.

Are defense contractors in Maryland required to meet CMMC requirements?

Yes. Defense contractors handling Controlled Unclassified Information (CUI) must meet Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements. Many Maryland contractors along the Columbia corridor are actively pursuing Level 2 certification, which aligns with the 110 security controls in NIST SP 800-171. Noncompliance can result in loss of contract eligibility.

What should a Maryland business do if it suspects a breach?

Immediately isolate affected systems to prevent further data loss, engage qualified incident response professionals, document all findings, and begin the notification process. Maryland law requires notification within 45 days, but early containment and forensic preservation are critical to limiting damage and supporting any subsequent investigation by law enforcement.