Nearly 30,000 patients had personal and health information stolen during a cyberattack on the Fort Wayne Medical Education Program.
The Fort Wayne Medical Education Program (FWMEP), a family medicine residency program in Indiana, experienced a data breach that exposed the personal information of 29,485 patients, employees, and their dependents. According to a notice sent to affected individuals, an “unauthorized actor” accessed FWMEP’s systems between December 12 and December 17, 2024. The breach was discovered on December 17, prompting the organization to secure its network and begin a forensic investigation.
The review revealed that sensitive personal and protected health information (PHI) had been viewed or stolen. FWMEP began mailing notification letters to affected individuals on October 2, 2025, nearly ten months after the breach was detected.
The compromised data varied by person but could include names, Social Security numbers, driver’s license and passport numbers, dates of birth, medical information, health insurance details, and even bank or credit card numbers. FWMEP has since offered complimentary credit monitoring and identity protection services to individuals whose Social Security numbers were exposed.
The organization operates from the Lutheran Downtown Medical Office Building and provides clinical training for medical students. According to the Office of the Maine Attorney General, at least 29,485 people were impacted. The delay in notification has drawn criticism and triggered multiple class action lawsuits. Plaintiffs allege that FWMEP failed to adequately secure patient data and delayed disclosure of the incident.
One lawsuit claims that FWMEP “violated state and federal law and harmed thousands of its current and former patients” by failing to protect sensitive information and by obscuring details about the breach. Plaintiffs are seeking damages, restitution, and injunctive relief.
FWMEP stated it acted immediately upon discovering the breach, securing its systems and hiring cybersecurity experts to assess the damage. The organization has also established an assistance line through Haystack at 1-833-809-4990 for affected individuals seeking guidance.
According to Comparitech, ransomware and data breaches targeting US institutions are becoming more widespread and severe, affecting large hospitals and educational and training programs like the Fort Wayne Medical Education Program. The firm recorded 83 confirmed ransomware attacks on US schools and universities in 2024 and another 32 in 2025, collectively exposing millions of records and demanding ransoms averaging $827,000.
The organization said it needed extensive time to review the exposed files and determine which individuals were affected, a process that can be lengthy when large volumes of medical and financial data are involved.
Under HIPAA, covered entities must notify affected individuals and regulators within 60 days of confirming a breach. Whether FWMEP met that timeline may become a focus of ongoing litigation.
Organizations can strengthen protections by segmenting networks, implementing multi-factor authentication, and conducting regular penetration tests to identify vulnerabilities before attackers do.