A recent report by research application security company Indusface, gave the US healthcare industry its worst privacy and security report yet. Over the past 24 months the report detailed a staggering 1,200 security and privacy breaches of which 83% of incidents exposed patient health information (PHI). This marks a new milestone for the industry and once again raises alarm bells about the lack of investment in healthcare IT or the prioritization of cybersecurity to offset rising attacks and escalating concerns related to patient safety.
Texas topped the charts with 66 data breaches exposing the data of over 14 million Texans with 4 millions of these attributed to a single breach at Concentra Health Services in January 2024. California came in second with over 9 million patient records exposed with approximately half attributed to Blue Shield of California’s sharing of patient data with Google Pixel used for advertising.
“The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak or outdated software and systems,” said Venky Sundar, founder and president of Indusface.
Many of these alarming trends were backed by data in the recently published 2025 Verizon DBIR. The report confirmed that exploits have now overtaken phishing as a leading cause of data breaches. Not only is the healthcare industry running on old, often out-of-date and end-of-life, highly vulnerable software, but the application of patches, even when these are available, is slower than just about any other industry. The report listed an average lag time of over 200 days between the announcement of vulnerabilities, and the patching of vulnerable systems. Unlike other industries however, many of these critical systems are responsible for keeping patients alive or maintaining the confidentiality, integrity, and availability (CIA) of their personal health and identity data.
“If we compare healthcare to other industries, we can see a big difference in the investment in and prioritization of cybersecurity,” claimed Richard Staynings, Chief Security Strategist with New York based healthcare cyber security company Cylera. “The financial services industry reinvests a good chunk of its operating profits in modern IT and well-equipped cybersecurity teams and tools. Healthcare, because much of the industry is setup to be ‘not for profit’, tends to downplay both its operating margins, and the percentage of operating profits allocated to cyber security. Putting aside the massive difference in the size of profits between industries, or the way operating margins are calculated, healthcare providers currently spend less than one tenth of what financial services spends - even though lives are at stake in hospitals, clinics, and other care facilities. Healthcare payers on the other hand have much bigger revenues with profits in the tens of billions of dollars annually, yet have still suffered some massive cyber attacks.
The difference may be attributable to how boards and senior executives perceive and quantify both enterprise risk and cybersecurity return on investment (ROI) in one industry compared to the other. Risk is calculated by multiplying probability of loss by potential impact of loss. When this risk involves money, any high risk identified by a bank of potentially losing a million dollars in assets, or not being able to conduct business with customers for several hours (resulting in billions of dollars of lost revenue), will create a very compelling ROI for cybersecurity spend to quickly remediate that risk. In this case, the costs of 'action' are often tiny compared to the possible or probable costs of 'inaction'.”
Healthcare doesn’t qualify risk in the same way. Risks are usually perceived in different terms as clinical or operational risk. What is the risk of a 90-year-old patient undergoing anesthesia for a procedure? What is the probability of a negative outcome of a particular patient undergoing surgery compared to not being given that surgery? Business risks like operating profit typically come second, while cybersecurity risks often don’t even make it to the board room agenda for discussion.
Of course, some operational risks are becoming increasingly important as evidenced by many health systems declaring bankruptcy or going out of business entirely following a cyber attack. The recent UHG Change Healthcare attack exposed the PHI of over 190 Americans. It more alarmingly, also caused a national outage which resulted in thousands of providers unable to bill for millions of services for weeks on end, or to receive pre-authorization for scheduled procedures or pharmaceutical medications. This caused major cash-flow problems resulting in expensive emergency bank loans to cover staff and other overheads while delaying hundreds of money-earning procedures as surgical staff sat idle for weeks or had to be furloughed.
Operational risks are not just limited to outages of critical third parties but often to core hospital systems when a denial-of-service (DOS) attack or a ransomware attack is launched against a payer or provider. Both attacks are considered ‘availability attacks’ as they essentially render critical systems unavailable for use, stopping most business activity in its tracks. DOS attacks don’t generally last long, usually a few hours or a day or so before the attacker’s systems are blocked, and traffic is restored. However, a ransomware attack will encrypt vital systems and data, shutting these down until a ransom payment is made, or the victim is able to rebuild and restore critical data and systems. The result is often a partial or full hospital outage for many weeks or sometimes several months.
Any outage will have an impact on financial operations, but this may also result in clinical or safety risk to patients by negatively impacting patient morbidity and mortality, and therefore legal liability of providers. But so too, will any cyberattack against patient data unless forensic investigation can irrefutably prove that regulated data was not touched or accessed by hackers. The HIPAA regulation terms this as a ‘data breach’, while security professionals would define this as an attack against the ‘confidentiality’ of protected data. Thus, regulatory risk, clinical risk, and liability risk are far more significant across healthcare when attacked. Despite this, investment in healthcare cybersecurity significantly lags behind other industries like financial services, even though lives maybe at stake.
Until such times that the industry gives greater priority to protecting the information systems that power modern digital healthcare, the sector will continue to be recognized as an easy target to attack by criminals. While growing regulatory fines, restitution, and punitive damages awarded by class action lawsuits are slowly changing the equation between ‘the costs of action versus inaction’, much of the US healthcare delivery industry stands on the edge of bankruptcy, despite the huge sums spent on health insurance each year. With basic concerns of survivability, healthcare cybersecurity will more than likely continue to be underfunded until meaningful structural healthcare reform is enacted.
These risks exist before the Trump Administration's plans to decimate public healthcare funding under Medicaid and Medicare by removing 18 million patients from eligibility. These changes will disproportionately impact rural healthcare providers, whose patient populations heavily rely upon publicly funded healthcare programs. Even though 20% of rural patient populations typically have employer based private health insurance, this will not be enough to keep rural hospitals open, especially on top of UHG Change Healthcare losses. This could result in some rural populations being isolated from critical health services and potentially becoming 4 or 5 hours drive from the nearest trauma or stroke center. A journey many patients will be unlikely to survive.
The impacts of policy changes and unmitigated cybersecurity risks will therefore lead to significant changes in patient morbidity and mortality.
In the absence of countries legislating to outright ban the payment of ransoms and other forms of extortion payments to cyber terrorists, it’s likely that ransomware will continue to plague the health sector given the criticality of this critical national industry. It’s therefore probable, that healthcare cyber attacks will continue to grow in both size and scope for the foreseeable future and as a result, that access to critical healthcare services can no longer be guaranteed.
