Ohio Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Ohio is the seventh-largest state by population and home to a diverse economy that spans automotive manufacturing, world-class healthcare systems, financial services, and a large state government apparatus. That combination of industrial output and sensitive data makes Ohio a persistent target for ransomware operators, data thieves, and nation-state actors. The state's manufacturing corridor, stretching from Toledo through Cleveland and Akron to Youngstown, processes intellectual property and supply chain data that adversaries value for both financial extortion and competitive espionage.

Examining the history of Ohio cyber threats reveals patterns that repeat across industries and organization sizes. Each incident in the timeline below carries specific lessons about the attack vectors, defensive failures, and recovery challenges that Ohio organizations continue to face. Whether you run a parts manufacturer in Dayton, a hospital network in Columbus, or a county government office in rural Appalachia, these cases expose risks that are likely present in your own environment today.

Major Cyber Incidents in Ohio: A Timeline

2014 — Ohio Auditor of State Server Breach

In 2014, the Ohio Auditor of State's office disclosed that a server containing data from audits of local governments and school districts had been accessed by unauthorized parties. The compromised data included Social Security numbers and financial records of public employees across multiple Ohio counties. The breach highlighted the risk of storing sensitive audit data on insufficiently protected systems and prompted the Auditor's office to accelerate its migration to encrypted, access-controlled infrastructure.

2017 — CareSource Data Exposure

CareSource, a Dayton-based managed care organization serving Medicaid and Medicare populations across Ohio, reported a data incident in 2017 affecting member information. An improperly configured system exposed member names, addresses, dates of birth, and Medicaid identification numbers. While CareSource stated that no Social Security numbers or financial data were involved, the incident affected a vulnerable population that relies on public health insurance and underscored the risks of misconfigured systems in healthcare IT environments.

2019 — Premier Health Phishing Attack

Premier Health, which operates hospitals and care facilities across the Dayton region including Miami Valley Hospital and Upper Valley Medical Center, disclosed that a phishing attack compromised employee email accounts containing protected health information. The breach affected approximately 64,000 patients, exposing names, dates of birth, medical record numbers, health insurance information, and in some cases Social Security numbers. The attackers maintained access to the compromised accounts for several weeks before detection, highlighting the need for advanced email monitoring and rapid anomaly response in healthcare settings.

2020 — Medical Mutual of Ohio Data Breach

Medical Mutual of Ohio, one of the state's largest health insurance companies based in Cleveland, reported a data breach affecting member information after an employee email account was compromised through a phishing attack. The exposed data included names, dates of birth, Social Security numbers, insurance identification numbers, and clinical information for approximately 13,000 members. Medical Mutual notified affected individuals and the Ohio Attorney General's office and offered complimentary credit monitoring services. The incident underscored that even well-established insurers with dedicated security teams are vulnerable to social engineering.

2022 — Ohio State University Employee Data Compromise

The Ohio State University, one of the largest public universities in the United States with over 60,000 students, experienced a data breach in 2022 when an employee's account was compromised, exposing personal information including Social Security numbers and payroll data for current and former university employees. Ohio State engaged forensic investigators and notified affected individuals. The university subsequently expanded its mandatory security awareness training program and accelerated deployment of phishing-resistant multi-factor authentication across all employee accounts.

2023 — City of Columbus Ransomware Attack

In July 2023, the Rhysida ransomware group attacked the City of Columbus in one of the most significant municipal cyber incidents in Ohio history. The attack disrupted city services, forced systems offline, and ultimately exposed personal data belonging to approximately 500,000 residents — more than half the city's population. Stolen data included employee records, Social Security numbers, bank account details, and sensitive law enforcement information. The Rhysida group published a portion of the stolen data on its dark web leak site after the city declined to pay the ransom. Columbus ultimately disclosed that remediation costs exceeded $7 million, and the incident triggered class-action lawsuits from affected residents.

2024 — Ohio Lottery Cyberattack

On Christmas Eve 2023, extending into early 2024, the Ohio Lottery Commission was hit by a cyberattack claimed by the DragonForce ransomware group. The attack disrupted internal systems and exposed personal data of approximately 538,000 individuals, including names, Social Security numbers, and other sensitive information. While lottery gaming systems continued to function, the Commission's internal applications and some customer-facing services were taken offline during recovery. The Ohio Lottery notified affected individuals and offered credit monitoring services.

Ohio Breach Notification Law

Ohio businesses that experience a data breach must comply with Ohio Revised Code Section 1349.19, the state's data breach notification statute. The law applies to any person or business that owns or licenses computerized data that includes personal information of Ohio residents.

Key Requirements Under Ohio Rev. Code § 1349.19

• Notification timing: Businesses must notify affected individuals in the most expedient time possible and without unreasonable delay. Ohio does not specify a fixed number of days, but regulators and courts interpret this as requiring prompt action once a breach is confirmed

• Attorney General notification: Breaches affecting Ohio residents should be reported to the Ohio Attorney General's office, which maintains a public database of reported breaches

• Content of notice: Notification must include a description of the breach, the types of personal information involved, and contact information for the reporting entity

• Covered data: Personal information includes an individual's name combined with Social Security numbers, driver's license numbers, financial account numbers, or other government-issued identification numbers

• Substitute notice: If the cost of direct notification exceeds $250,000, affects more than 500,000 individuals, or the entity lacks sufficient contact information, substitute notice through media and website posting is permitted

Ohio Data Protection Act (SB 220): The Safe Harbor Advantage

Ohio's Data Protection Act, enacted in 2018 as Senate Bill 220, is one of the most significant state-level cybersecurity laws in the country — and it takes a fundamentally different approach than most states. Rather than imposing penalties, the Ohio DPA provides an affirmative defense to businesses that implement and maintain recognized cybersecurity frameworks. This safe harbor provision is unique nationally and gives Ohio businesses a concrete legal incentive to invest in cybersecurity.

Under SB 220, a business that creates, maintains, and complies with a written cybersecurity program that reasonably conforms to one of several recognized frameworks can use that program as an affirmative defense in tort claims alleging that a data breach resulted from the failure to implement reasonable information security controls. Qualifying frameworks include NIST Cybersecurity Framework, NIST SP 800-171, ISO 27001, FedRAMP, CIS Controls, PCI-DSS (for entities subject to PCI), and HIPAA Security Rule (for entities subject to HIPAA).

This means that an Ohio manufacturer that implements and documents a cybersecurity program aligned with NIST CSF, and then suffers a breach despite those controls, has a legal defense that businesses in most other states do not. The safe harbor does not prevent lawsuits or regulatory action, but it provides a powerful shield during litigation. For a detailed analysis of Ohio's compliance landscape, see our guide to Ohio cybersecurity compliance requirements.

Which Ohio Industries Are Most Targeted?

Manufacturing and Automotive

Ohio is the third-largest manufacturing state in the U.S. and a critical node in the North American automotive supply chain. Honda's North American headquarters is in Marysville, and hundreds of Tier 1 and Tier 2 automotive suppliers operate across the state. Manufacturing facilities increasingly rely on connected industrial control systems and ERP platforms that create attack surfaces for ransomware and intellectual property theft. Manufacturing IT security is especially critical in Ohio's industrial corridor.

Healthcare

Ohio is home to Cleveland Clinic, one of the top-ranked hospital systems in the world, as well as Ohio State Wexner Medical Center, University Hospitals, and numerous regional systems. These institutions manage enormous volumes of protected health information and face persistent threats from ransomware groups and data thieves. The Premier Health breach demonstrated that even large, well-resourced Ohio healthcare organizations are vulnerable to phishing-based attacks.

State and Local Government

Ohio's 88 counties, hundreds of municipalities, and numerous state agencies operate IT systems that manage everything from voter records to tax processing to law enforcement databases. The City of Columbus attack showed that even the state capital, with relatively substantial IT resources, can suffer catastrophic data exposure. Smaller municipalities with more limited budgets face proportionally greater risk.

Frequently Asked Questions

How quickly must an Ohio business report a data breach?

Ohio Rev. Code § 1349.19 requires notification in the most expedient time possible and without unreasonable delay after discovery of a breach. Unlike states such as Florida (30 days) or Texas (60 days), Ohio does not set a specific calendar deadline. However, the 'without unreasonable delay' standard means that businesses should aim to notify affected individuals within 30 to 45 days of confirming a breach, and any longer delay risks regulatory scrutiny from the Ohio Attorney General's office.

What is the Ohio Data Protection Act safe harbor?

The Ohio Data Protection Act (SB 220) provides businesses with an affirmative legal defense against tort claims related to data breaches, provided the business maintained a written cybersecurity program conforming to a recognized framework such as NIST CSF, ISO 27001, or CIS Controls. This safe harbor is unique among U.S. states and gives Ohio businesses a tangible legal incentive to invest in documented cybersecurity programs. The defense does not guarantee immunity from lawsuits but significantly strengthens a company's legal position.

Was the Columbus ransomware attack the largest municipal breach in Ohio?

Yes. The 2023 City of Columbus attack by the Rhysida ransomware group exposed personal data of approximately 500,000 residents, making it by far the largest municipal data breach in Ohio history. The $7 million remediation cost and subsequent class-action lawsuits made it one of the most consequential municipal cyber incidents in the entire Midwest region.

Which Ohio sectors experience the most data breaches?

Healthcare and government entities account for the majority of publicly reported Ohio data breaches, partly because mandatory reporting requirements under HIPAA and state law ensure these incidents are disclosed. However, manufacturing, financial services, and education also experience significant incidents. Ohio's concentration of manufacturing operations makes the industrial sector particularly relevant, though many manufacturing breaches are not publicly reported unless personal information is compromised.

Does Ohio have a state-level cybersecurity agency?

Ohio operates the Ohio Cyber Range Institute and the Ohio Department of Administrative Services' Office of Information Technology, which oversees IT security for state government systems. Ohio was also one of the first states to appoint a state Chief Information Security Officer. Additionally, the Ohio National Guard maintains a Cyber Operations Squadron that can assist with incident response during significant cyber events affecting state infrastructure.

How does Ohio compare to other states on cybersecurity regulation?

Ohio stands out nationally for its incentive-based approach through the Data Protection Act's safe harbor provision. While many states focus solely on penalties and breach notification requirements, Ohio offers businesses a legal reward for proactive cybersecurity investment. Combined with its standard breach notification law (§ 1349.19) and insurance data security requirements, Ohio has built a regulatory framework that balances accountability with positive incentives — an approach that other states have begun studying as a model.