The perils of connecting wearables with medical records – Axios
Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness
Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being implemented without the secure infrastructure to support them. Most healthcare practices have meaningful gaps in cyberattack recovery readiness, face ongoing and regular third-party vendor disruptions, and there is growing concern that a cyberattack will result in a patient fatality. The current state of cybersecurity in healthcare is far from rosy.
These were some of the findings from the 2026 Healthcare IT Landscape Report from Omega Systems, a leading provider of managed IT and security services to the healthcare and financial services industries. The report is based on a survey of 200 healthcare business leaders in the United States, including CEOs, CISOs, CIOs, CFOs, and COOs, at healthcare organizations with between 50 and 600 employees. The healthcare organizations represented in the report include medical practices, clinics, ambulatory care centers, specialty services, and long-term care facilities.
In 2025, when the study was last conducted, 52% of healthcare organizations said it is inevitable that a cyberattack on a healthcare facility will result in a patient fatality in the next five years. There has been a relative 17% increase in just 12 months, with 61% now expressing that concern. The increase is unsurprising given the lack of cyberattack recovery readiness. In the event of a cyberattack that prevents access to the electronic medical record (EMR) system, 47% said loss of access to patient records would create an immediate patient safety issue and malpractice liabilities, 53% say billing, claims, and scheduling would instantly stop, freezing cash flow at the moment when clinical operations are most compromised, and 25% said they would be unable to maintain baseline care standards, resulting in temporary or even permanent closure.
Omega Systems said 82% of providers acknowledged meaningful gaps in their recovery readiness. Almost one-third (31%) of respondents lack the ability to contain and resolve data breaches quickly; almost one-quarter (24%) do not regularly train teams on incident response; one-fifth (21%) have no independent EMR recovery path or access to a 24/7 SOC team, and 13% have no documented recovery plan at all. AI adoption is almost universal, with 93% of healthcare practices already having adopted AI tools, yet they lack the secure infrastructure to support it safely.
The risk of cyberattacks has never been greater. According to OCR data, 2025 saw more large data breaches reported than any year since records of data breaches have been published, fueled in part by an increase in cyberattacks on vendors, which usually impact multiple healthcare clients and cause considerable disruption.
Omega Systems found that 85% of healthcare practices experienced at least one operational disruption in the past 12 months due to a third-party vendor or vendor of a vendor, and 24% experienced a third-party or vendor breach that directly affected their data or operations.
While vendor incidents are increasing, a concerningly high percentage of respondents – 70% – said they were confident or very confident in their vendors’ cybersecurity posture. Vendors have been engaged and are trusted, and are no longer being questioned about their cybersecurity posture.
OCR is due to issue a final rule implementing proposed changes to the HIPAA Security Rule, one of the requirements of which is annual reverification of cybersecurity measures of their business associates, which will force practices to continually verify vendor cybersecurity. According to Omega Systems reports, currently, 63% of practices are not continuously monitoring their networks and digital supply chains, while 70% say they are confident in the vendors connected to them. “A practice can’t be confident in what they aren’t watching,” warns Omega Systems. “Trust is a natural byproduct of long-term vendor relationships. And that’s precisely what attackers count on. They target vendors because their healthcare clients trust them – and rarely verify the controls behind that trust.”
Omega Systems identified a single root cause of the cybersecurity problem in healthcare – Cybersecurity is a patient safety issue, yet healthcare organizations are still treating cybersecurity as a technical expense. “Sixty-two percent (62%) of healthcare leaders still treat cybersecurity as a technical expense rather than a clinical or fiduciary risk,” explained Omega Systems in the report. “That posture determines what gets funded, what gets deferred, and what gets ignored. It is why the gaps documented in this report persist despite years of escalating threat data.”
OCR investigates all reported data breaches affecting 500 or more individuals, and data breaches are being reported in record numbers. OCR currently has an initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule, which has been expanded to also cover risk management. The survey revealed that six in ten leaders have self-attested to HIPAA-compliance, when they know that their risk analyses identified unresolved vulnerabilities. According to the report, 23% of practices have already filed a breach report with OCR.
“For many, that filing was not the result of negligence. It was the result of a gap that grew faster than their resources could close it,” explained Omega Systems. “Small practice leaders are not ignoring compliance. They are managing it with teams that are stretched thin, budgets that do not go far enough, and requirements that keep changing. The breach notification is often the moment they find out how serious that gap had become.”
When the HIPAA Security Rule update is released, practices will have a lot of ground to cover in a short space of time. Only 24% of practices report that they are fully prepared for the proposed changes; many lack the required in-house staff and have cybersecurity and compliance programs that have been built for a simpler threat landscape.
More than one-third (35%) say their cybersecurity/IT team is understaffed, one-third (33%) underestimate the severity and frequency of cyberattacks, one-quarter (26%) say their cybersecurity/IT team is underfunded and has antiquated cybersecurity technology (23%), and one-fifth (21%) deliberately downplays cyberattack risk to avoid reputational damage.
With the HIPAA Security Rule final rule expected this year (the proposed release date was May 2026), healthcare cybersecurity and compliance programs will have to be overhauled. Omega Systems explains that the leaders will not be the healthcare organizations with the most advanced technology. They will be the ones who have made a governance-level commitment to treating security, compliance, vendor risk, and AI not as separate problems requiring separate solutions, but as one, with a partner accountable for the whole picture.
The post Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness appeared first on The HIPAA Journal.
British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health – The HIPAA Journal
Healthcare Breach at AI Vendor Xsolis Exposes 1.4 Million Records Across Seven Major Hospitals – Tech Times
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation – The HIPAA Journal
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation
Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.
Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.
The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.
During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.
Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.
The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.
British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health
Two British hackers have pleaded guilty to a cyberattack on Transport for London (TfL), one of whom also admitted to hacking two U.S. healthcare companies in September 2024: SSM Health Care Corporation and Sutter Health.
Owen Flowers, 18, from Walsall, West Midlands, and Thalha Jubair, 20, from East London, were both teenagers when they conducted the attacks and were members of the cybercriminal group Scattered Spider. In contrast to many cybercriminal groups, Scattered Spider is an English-speaking collective whose members are primarily based in the United States, the United Kingdom, and Canada.
Scattered Spider is believed to have been formed in May 2022 and primarily targeted telecommunications companies before expanding attacks on varied targets. The group has been linked with attacks on more than 120 companies, including Snowflake, Twilio, Mailchimp, DoorDash, American Airlines, WestJet, Hawaiian Airlines, and Aflac. The group was behind the ransomware attacks on Caesars Entertainment and MGM Resorts in September 2023, the TfL attack in late August 2024, and a string of ransomware attacks on UK retailers Marks & Spencer, Harrods, and Co-op Group in April 2025.
The two hackers were arrested at their home addresses on September 16, 2025, in connection with the retail attacks, along with two other individuals. An investigation conducted by the National Crime Agency (NCA) and City of London Police linked the pair to the TfL attack. That attack caused disruption to TfL’s online services, prevented live London Underground train information from appearing in the TfL app and on the TfL website, and forced all 28,000 TfL employees to attend a TfL office for a password reset. The attack cost TfL £29 million ($38 million) in loss and recovery costs.
Investigators searched the residences of the two individuals and recovered laptops, desktop computers, hard drives, and USB sticks, which contained evidence of the pair’s involvement in the TfL attack. Investigators also found evidence on devices owned by Flowers of his involvement in attacks on SSM Health Care and Sutter Health, which resulted in infiltration and damage to computers, according to the UK’s National Crime Agency.
Jubair ran a Telegram channel called Star Chat that was used by a SIM-swapping group that engaged in voice and SMS-based phishing attacks to steal credentials from employees at UK and US wireless providers. The access was then used to redirect individuals’ phone numbers to devices controlled by the attackers, allowing them to intercept calls and text messages.
Jubair has been charged in the United States for his role in Scattered Spider cyberattacks on at least 120 computer networks, involving 47 U.S. entities. New Jersey prosecutors have charged Jubair with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted on all U.S. charges, Jubair faces up to 95 years in jail.
The hackers were scheduled for a 6-week trial in Woolwich Crown Court in London, starting on June 22, 2026. On day 1 of the trial, Flowers and Jubair pleaded guilty to the attack on TfL. Flowers also admitted to conspiring to commit unauthorized acts against the computer systems of SSM Health Care Corporation and Sutter Health in September 2024.
The hackers are both scheduled for a 2-day sentencing hearing starting on July 15, 2026. Jubair also faces a trial in the United States. Depending on negotiations between UK and US authorities, Jubair could be temporarily transferred after sentencing to stand trial for the charges in the United States before returning to complete his sentence, or he may face a trial in the U.S. after serving the entirety of his UK sentence.
“This has been a lengthy, highly complex, and painstaking investigation. The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider. This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
The post British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health appeared first on The HIPAA Journal.
Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company
Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.
Florida Retina Center
Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.
The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.
Acadia Healthcare Company
Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.
The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.
The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.