Goshen Medical Center notifies more than 450,000 patients of a data breach

The North Carolina medical center recently notified approximately 450,000 individuals of a data breach. 

What happened

On September 12th, 2025, Goshen Medical Center filed a data breach notice with the Maine Attorney General. The medical center, which has approximately 38 locations, has not yet posted anything on their website. 

According to their notice, the incident first took place on February 15th, 2025, and was detected on March 4th. Following detection, Goshen immediately initiated an investigation that determined certain files had been accessed. Impacted data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical record numbers. 

Goshen reported that 456,385 individuals were impacted, including past and current patients.

What’s next

Goshen has stated that they have now “implemented additional measures to reduce the risk of a similar incident occurring in the future.” Goshen is also offering complimentary credit monitoring and identity protection services. 

While Goshen is taking several steps to protect patients and remedy the situation, they are already being investigated by multiple law firms. These firms are gathering evidence for potential class action lawsuits, but will have to prove that Goshen was negligent in their cybersecurity practices in order to be successful. 

Why it matters

According to HHS Deputy Secretary Andrea Palm, as noted in Paubox’s 2025 Healthcare Email Security Report, "The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety." Palm adds that these attacks "endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."

FAQs

Why do healthcare organizations report data breaches to the Maine Attorney General

Healthcare organizations are required to report breaches to the Maine Attorney General if they impact Maine residents. Not every state has this law and it can take time for organizations to report data breaches to the Department of Health and Human Services. Because of this, the Maine Attorney General’s portal has become an efficient way of gathering data and information of breaches in the US. 

What type of breach did Goshen experience

Goshen did not explicitly explain how the breach took place, but in its filing with the Maine Attorney General, it stated the breach was an external system breach, also known as a hacking incident.