Rheumatology Associates of Baltimore, a specialty healthcare provider in Maryland, has disclosed a data breach that potentially impacted the sensitive personal and protected health information (PHI) of 28,968 individuals. The breach occurred through a third-party vendor, Endue Software, and involved unauthorized access to patient information.
What happened
On April 11, 2025, Rheumatology Associates of Baltimore was informed by Endue Software, a vendor they utilize, about a recent cybersecurity incident. Endue reported there was unauthorized access to their systems on February 16, 2025, during which an unauthorized actor accessed and copied files from Endue's internal systems. These files contained personal information belonging to patients of Rheumatology Associates of Baltimore.
What's new
Rheumatology Associates of Baltimore posted a notice of the data privacy event on their website on April 22, 2025. The company also plans to send out breach notification letters to the affected individuals for whom they have valid mailing address information. The breach was officially reported to the U.S. Department of Health and Human Services (HHS) on April 21, 2025, and is listed on the HHS breach portal.
Multiple law firms, including Strauss Borrelli PLLC and Shamis & Gentile P.A., have announced investigations into the data breach. These firms seek to understand the extent of the incident and explore potential legal options, including class action lawsuits, for the individuals whose information was compromised.
Why it matters
The types of information that may have been exposed are highly sensitive and include: full name, address, Social Security number, date of birth, and medical record number. This combination of personal and health information could put the affected individuals at risk of identity theft, financial fraud, and other potential harms.
What they're saying
Rheumatology Associates of Baltimore stated in their notice that while Endue Software is not aware of any actual or attempted identity fraud resulting from the incident, they are providing details to potentially affected individuals along with steps they can take to help protect themselves. Endue Software has also established a dedicated assistance line for individuals with questions about the incident.
Law firms investigating the breach emphasize the importance of informing affected individuals about their rights and potential legal remedies.
Looking ahead
Endue Software reported that they took immediate steps to secure their environment upon learning of the potential unauthorized access and began an investigation to determine the nature and scope of the activity. They undertook an extensive review of the involved files to identify the impacted information and the affected individuals. Rheumatology Associates of Baltimore is offering complimentary credit monitoring services to those whose Social Security numbers were exposed. Affected individuals are advised to monitor their accounts, review their credit reports, and consider placing fraud alerts or credit freezes with the major credit reporting bureaus.
FAQs
Are there any specific resources provided by Rheumatology Associates of Baltimore or Endue Software to help affected individuals?
Yes, Rheumatology Associates of Baltimore has posted a notice on their website with information about the incident and steps individuals can take to protect themselves. Endue Software has also established a dedicated assistance line at 1-833-998-5748 for individuals with questions. The notice from Rheumatology Associates of Baltimore also provides resources and contact information for the three major credit reporting bureaus and the Federal Trade Commission.
What are the legal obligations of healthcare providers and their vendors regarding data security under HIPAA?
Under HIPAA, healthcare providers and their business associates have specific legal obligations to protect the privacy and security of PHI. This includes implementing administrative, physical, and technical safeguards to prevent unauthorized access, use, or disclosure of PHI. They are also required to conduct risk assessments, develop security policies and procedures, and provide employee training on HIPAA compliance. In the event of a breach, they are obligated to notify affected individuals and the HHS in a timely manner.
