BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise

Posted by Steve Alder

Healthcare has retained its position as the industry most targeted by cyber actors, an unwanted accolade that the sector has held for more than a decade, and in 2025, healthcare had the highest average ransom payments, averaging $1,154,245, according to the recently published BakerHostetler 2026 Data Security Incident Response Report. The report is based on more than 1,250 data security incidents that the law firm was engaged in last year.

BakerHostetler has been publishing annual breach reports for 12 years, and in each of those years, healthcare accounted for more cyber incidents than any other industry. In 2025, healthcare – which includes biotech and pharma – accounted for 27%, with finance/insurance in second spot, accounting for 18% of incidents. While healthcare data breaches remain high – more than 700 last year – 2025 was the second consecutive year where breaches impacting 500 or more individuals declined, albeit only slightly.

Last year saw some threat actors issue astronomical ransom demands, the highest of which was $98 million, more than double the highest ransom demand in 2024 ($40 million). The largest ransom paid was $5.65 million, down from more than $20 million in 2024. Ransom payments increased in 2025, from an average payment of $501,338 in 2024 to $682,702, although average payments in healthcare were 69% higher.

BakerHostetler’s analysis revealed threat actors are spending less time in networks, with the dwell time falling from 36 days in 2023 to just 22 days in 2025. As defenders have got better at detecting intrusions, threat actors have had to adapt and are spending less time snooping to find data of interest. Linked to this is a growing trend of encryption being abandoned in some attacks, with some threat groups opting to solely conduct extortion only attacks. These are faster and quieter, with less chance of discovery before the attackers have achieved their aims, although in some attacks, the exfiltration of data is what tipped off victims to the attack, forcing the attackers to abandon encryption.

In 2025, across all industry sectors, 34% of victims of ransomware attacks paid the ransom, but there was a notable shift in the reason for payment last year. In 2024, 43% of victims of ransomware attacks paid the ransom to obtain a decryptor, with 34% paying to prevent the publication of stolen data. Those figures were reversed in 2025, with 31% of victims paying to obtain the decryptor, 43% paid to prevent the publication of stolen data, and 26% paid to recover data and prevent a data leak. Out of all extortion/ransomware incidents, 64% resulted in data theft requiring notices to individuals.

The Qilin ransomware group stepped up its attacks in 2025, having recruited affiliates from other ransomware operations, although Akira took top spot, based on the number of incidents BakerHostetler was engaged to assist with. Lynx/Inc ransom took third spot followed by Clop in 4th, and the now defunct RansomHub in 5th. The law enforcement operations against the LockBit ransomware group have clearly been effective, as BakerHostetler reports that for the first time in the past 5 years, LockBit was not in the top five most active ransomware groups.

This year’s report includes a spotlight on the healthcare sector. Out of all healthcare incidents that BakerHostetler was engaged in, 35% were attributed to vendors, which remain an Achilles heel in the industry. Vendor incidents were among the largest data breaches, such as the data breach at Conduent that affected more than 10 million individuals, the 5 million+ data breach at Episource, and the data breach at Oracle Health (Cerner). The number of individuals affected by the latter has not been disclosed, but is certainly in the millions.

While announcements were made about 21 resolution agreements in 2025, only 12 of the settlements/notices of final determination had 2025 dates. Out of those 12, seven resolved alleged HIPAA violations at business associates, as OCR demonstrated it is taking a keen interest in HIPAA compliance by vendors.

BakerHostetler suggests that fewer penalties are likely to be imposed this year, as OCR may opt for providing more efficient technical assistance; however, state attorneys general may well fill the gap as they exercise their authority to penalize healthcare organziations over breaches of the protected health information of state residents.

BakerHostetler predicts that state actions are likely to increase, as states are increasing staffing in their data privacy units. The expected focus will be data breach incident investigation, data awareness and data minimization, more robust protections for sensitive data, and greater incident investigation transparency, and with Congress yet to pass federal data privacy legislation, more states will implement their own privacy legislation.

The post BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise appeared first on The HIPAA Journal.

NYC Health + Hospitals Discloses 11-week Network Compromise

Posted by Steve Alder

On March 24, 2026, NYC Health + Hospitals Corporation announced that personally identifiable information (PII) and protected health information (PHI) were exposed in a data security incident. NYC Health + Hospitals identified suspicious activity within its computer network on February 2, 2026. Immediate action was taken to secure the affected systems, and an investigation was launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity specialists.

The investigation determined that an unauthorized third party first gained access to its network more than two months previously, on November 25, 2026, and retained access until February 11, 2026. The investigation into the incident is ongoing; however, NYC Health + Hospitals believes that initial access to its systems may have been gained in a security breach at one of its third-party vendors. The name of that vendor was not disclosed.

NYC Health + Hospitals determined that files were exfiltrated from its network, some of which contained PII and PHI. Over the past few weeks, NYC Health + Hospitals has been reviewing the impacted data to determine the types of information involved and the individuals affected by the incident. The delay in issuing notifications to the affected individuals was due to the time taken to review the affected data. There were no instructions from law enforcement to delay notifications.

Based on the results of the data review to date, the following types of data were compromised in the incident: names; medical information (medical record numbers, disability codes, diagnoses, medications, test results, images, treatment plans); health insurance information (plans/policies, insurance companies, member/group ID numbers, Medicaid-Medicare-government payor ID numbers), billing/claims information; biometric information; personal information (Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, online account credentials). The information involved varies from individual to individual.

NYC Health + Hospitals said several steps have been taken to bolster security to prevent similar incidents in the future. They include enhanced detection rules for cybersecurity tools, password resets for compromised accounts, additional detection and protective technologies, and updates to remote access management policies. Credit monitoring and identity theft protection services have been offered to the affected employees and patients for 24 months.

The data breach has been reported to the appropriate authorities, but it has yet to appear on the HHS’ Office for Civil Rights breach portal, which currently shows no data breach reports since February 26, 2026. As such, it is currently unclear how many individuals have been affected.

The post NYC Health + Hospitals Discloses 11-week Network Compromise appeared first on The HIPAA Journal.

Deaconess Health System Affected by Vendor Data Breach

Posted by Steve Alder

Evansville, Indiana-based Deaconess Health System has announced a data breach involving information shared with a third-party vendor, the MRO Corp-owned company MediCopy. Deaconess Health System is one of the largest health systems in the Illinois-Indiana-Kentucky tri-state area, and operates 18 hospitals in southwestern Indiana, western Kentucky, and southeastern Illinois. The data breach affects certain patients of two of its hospitals: Deaconess Henderson Hospital in Henderson, KY, and Deaconess Union County Hospital in Morganfield, KY.

Deaconess Health System contracted with MediCopy to handle release of information (ROI) requests. Deaconess Health System’s substitute breach notice explains that MediCopy informed the health system about the security incident on February 2, 2026. The investigation determined that an unauthorized actor accessed MediCopy-controlled/managed cloud-based file-sharing software on January 13, 2026, and downloaded files related to ROI requests. The security incident was limited to the cloud-based platform. There was no unauthorized access to any Deaconess Health System’s IT systems or electronic health record system. A spokesperson for MRO said neither the MRO platform nor MediCopy systems were compromised in the incident.

Deaconess Health System conducted a comprehensive review of the affected data and determined that the information compromised in the incident included names, dates of birth, dates of service, medical record numbers, Social Security numbers, health insurance information, and medical records related to the treatment received at Deaconess Health System hospitals.

Notification letters are being mailed to the affected individuals by Deaconess Health System, which is offering complimentary credit monitoring and identity theft protection services. Deaconess Health System has confirmed that additional measures have been implemented to further strengthen the security of its file-sharing platform and the information maintained on that platform.

The number of Deaconess Health System patients affected by the data breach has yet to be publicly disclosed. Deaconess Health System said it has reported the breach to the appropriate agencies,  but the breach is not yet shown on the HHS’ Office for Civil Rights breach portal. There has been a delay in adding data breaches to the OCR data breach portal. While there have been some additions of data breaches with reporting dates prior to February 26, 2026, the breach portal lists no new additions after that date (as of March 25, 2026).

The post Deaconess Health System Affected by Vendor Data Breach appeared first on The HIPAA Journal.

Florida Insurance Commissioner Suspends Mirra Health for Medicare Data Transfers to Foreign Companies

Posted by Steve Alder

The sensitive data of more than 23,000 Florida Medicare members has been impermissibly shared with overseas companies, putting Medicare members’ sensitive health data at risk. The data was shared by Mirra Health, a provider of administrative services to health maintenance organizations (HMOs) in Florida.

Mirra Health had contracts with three HMOs in Florida: Secure Inc, Solis Health Plans Inc., and Ultimate Health Plans Inc. Under those contracts, Mirra Health agreed to provide certain administrative services, including member enrollment, claims adjudication and payment, utilization management, and grievance and appeals processing. Mirra Health engaged four unlicensed companies in India and the Philippines to perform claims processing and other functions and provided those companies with the necessary data to perform those functions.

While Mirra Health may choose to delegate certain functions to subcontractors, sensitive data was shared with unlicensed companies without the knowledge or prior approval of the HMOs or their enrollees. Under the terms of its contracts with the HMOs, prior authorization must be received before passing any data to offshore partners.

An investigation conducted by the Florida Office of Insurance Regulation determined that Mirra Health had engaged in business practices that pose an imminent threat to the public health, safety, and welfare of state residents. Mirra Health was found to have disclosed the sensitive data of 23,119 Florida Medicare Advantage enrollees to those unlicensed companies. The majority of the affected individuals participated in Chronic Condition Special Needs Plans (C-SNPs), Dual Eligible Special Needs Plans (D-SNPs), and Institutional Special Needs Plans (I-SNPs). When the Florida Office of Insurance Regulation requested that Mirra Health produce the contracts it had signed, it failed to produce all contracts with overseas companies, in violation of section 626.884 of the Florida Insurance Code.

This week, Florida Insurance Commissioner Michael Yaworsky suspended Mirra Health LLC’s certificate of authority. Yaworsky said the company demonstrated it is not competent or trustworthy, as it disclosed sensitive Medicare data to foreign entities that are beyond the regulatory reach of the Office of Insurance Regulation, depriving both the Office and the HMOs of the ability to protect vulnerable state residents.

The post Florida Insurance Commissioner Suspends Mirra Health for Medicare Data Transfers to Foreign Companies appeared first on The HIPAA Journal.

High Severity Vulnerability Identified in Grassroots DICOM

Posted by Steve Alder

A high-severity vulnerability has been identified in Grassroots DICOM that could be exploited by a remote threat actor to trigger a denial-of-service condition.  The vulnerability, tracked as CVE-2026-3650, is a memory leak issue that has been assigned a CVSS v3.1 severity score of 7.5.

Grassroots DICOM is a C++ library for DICOM medical images that comes with a scanner implementation capable of quickly scanning hundreds of DICOM files for attributes. Grassroots DICOM is used by healthcare and public health sector organizations worldwide, including in the United States.

The vulnerability affects Grassroots DICOM (GDCM) version 3.2.2 and occurs when parsing malformed DICOM files with non-standard VR types in file meta information. If an attacker sends a specially crafted file, when that file is parsed, it leads to vast memory allocations and resource depletion, triggering a denial of service condition. A maliciously crafted file could fill the heap in a single read operation without properly releasing it.

The vulnerability was identified by Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS, who reported it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which contacted the maintainer of Grassroots DICOM; however, the maintainer failed to respond to requests by CISA to mitigate the vulnerability.

While there is currently no fix to remediate the vulnerability, CISA has suggested recommended practices to reduce the potential for exploitation. They involve ensuring that the Grassroots DICOM is not exposed to the internet, that control system networks are located behind firewalls and are isolated from business networks, and if remote access is required, that secure methods are used to connect, such as Virtual Private Networks (VPNs), ensuring that the VPN is running the latest software version.

The post High Severity Vulnerability Identified in Grassroots DICOM appeared first on The HIPAA Journal.