Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution

Vulnerabilities have been identified in the Hospital Manager Backend Services, a hospital information management system from Vertikal Systems. One of the vulnerabilities is a high-severity flaw that can be remotely exploited in a low complexity attack to gain access to and disclose sensitive information.

The vulnerabilities affect Hospital Manager Backend Services prior to September 19, 2025. The vulnerabilities have been fixed in the September 19, 2025, release and future releases. Users should ensure that their product is up to date and should contact Vertikal Systems for assistance with fixing the flaws.

The most serious vulnerability is tracked as CVE-2025-54459 and has been assigned a CVSS v4 base score of 8.7 (CVSS v3.1 base score 7.5). The flaw is due to the product exposing sensitive information to an unauthorized control sphere. Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, which means a remote attacker can obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.

The second flaw is tracked as CVE-2025-61959 and is a medium-severity vulnerability with a CVSS v4 base score of 6.9 (CVSS v3.1 base score: 5.3), due to the generation of error messages containing sensitive information.  Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration ‘customErrors mode=”Off”‘, which could have facilitated reconnaissance by unauthenticated attackers.

The vulnerabilities were identified by Pundhapat Sichamnong of Vantage Point Security, who reported the flaws to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In addition to using the latest version, it is recommended not to expose the product to the internet, to locate it behind a firewall, and if remote access is required, to use a secure method of access, such as a Virtual Private Network (VPN), ensuring the VPN is running the latest version of the software.

The post Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution appeared first on The HIPAA Journal.

George E. Weems & Virba Hospitals Announce Data Breaches

Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics.

George E. Weems Memorial Hospital

On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025.

The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health insurance information.

No evidence was found to indicate that any of the exposed information has been or will be misused, but as a precaution, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. George E. Weems Memorial Hospital said it had taken many precautions to protect the privacy of patient information and will continue to review and enhance its measures to ensure privacy and security. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Vibra Hospital of Sacramento

On October 3, 2025, Vibra Hospital of Sacramento in California started notifying patients about a security incident involving unauthorized access to six employee email accounts. Suspicious activity was identified within certain email accounts on or around March 13, 2025. Assisted by third-party cybersecurity experts, Vibra Hospital determined that the email accounts were accessed by an unauthorized third party from March 11, 2025, to March 22, 2025.

The review of the affected accounts was completed on August 4, 2025, when it was confirmed that protected health information had been exposed. The types of data involved vary from individual to individual and may have included names in combination with addresses, birth dates, Social Security numbers, dates of service, diagnoses, treatment information, physician/facility names, Medicare/Medicaid numbers, patient account numbers, and/or financial account numbers.

No evidence was found to indicate any misuse of the exposed data. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts, free credit reports, and explanation of benefits statements, and as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Vibra Hospital has also taken steps to improve email security to prevent similar incidents in the future.

Michael R. Schwartz, MD, FACS

Michael R. Schwartz, MD, FACS, a plastic surgeon based in Westlake Village, California, has recently disclosed a security incident that involved unauthorized access to patient information.  The intrusion was identified on or around August 25, 2025, and it was later confirmed that an unauthorized third party had remote access to a single computer from January 20, 2025, to August 26, 2025.

The review revealed that the threat actor may have accessed patients’ personal and protected health information, including names, addresses, email addresses, phone numbers, Social Security numbers, medical record numbers, and patient photographs. As a precaution, all office computers and servers have been replaced, security controls have been strengthened, and additional data security training has been provided to the workforce. The affected individuals have also been offered 12 months of complimentary identity theft protection services.  The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Travere Therapeutics

The San Diego, CA-based biopharmaceutical company, Travere Therapeutics, has recently notified the Massachusetts Attorney General about a recent security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been affected, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring services for 24 months.

The post George E. Weems & Virba Hospitals Announce Data Breaches appeared first on The HIPAA Journal.

American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare

The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption.

The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve.

In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on administrative tasks, amounting to around $1 trillion annually. Feedback from member hospitals and health systems indicates that regulatory administrative burdens are contributing to the financial instability of many hospitals, around 40% of which are now operating with negative margins.

The AHA has already voiced opposition against further administrative burdens and costs related to the proposed update to the HIPAA Security Rule and has welcomed the Trump administration’s recognition that overly restrictive regulations lead to higher costs, hamper competition, and stifle innovation. AHA members have voiced their concern that excessive regulation of AI is likely to severely limit adoption and innovation. Given the potential for AI to improve efficiency and enhance the quality of care, a balance needs to be struck between regulation to ensure patient safety while incorporating sufficient flexibility to support innovation.

In the letter to the OSTP, Ashley Thompson, the AHA’s senior vice president of public policy analysis and development, explained that current administrative burdens have forced many hospitals to scale back patient services or close, and that excessive regulatory and administrative burdens have added unnecessary cost and reduced patient access to care. To ensure the full potential of AI in healthcare, the AHA makes four main recommendations for AI reform: leveraging existing policy frameworks to avoid redundancy; removing regulatory barriers; ensuring AI is used safely and effectively; and providing incentives and infrastructure investment to expand the use of AI in healthcare.

Current regulatory frameworks were developed around human clinicians and discrete medical device updates, which may create challenges if the same frameworks are applied to continuously updating AI tools; however, creating a new regulatory framework for AI could result in redundancy and inefficiency.  The AHA recommends that any AI policies be synchronized with existing regulatory frameworks such as HIPAA, the HHS cybersecurity performance goals, FDA rules on premarket testing, and the CMS Medicare Advantage regulations.

The AHA recommends removing regulatory barriers that could stifle innovation, explaining that the current patchwork of state privacy laws and 42 Part 2 regulations has had a direct impact on the ability of hospitals to develop and deploy AI tools. The AHA has already responded to several problematic proposed HIPAA Security Rule update, and recommended voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals, rather than further regulation. The AHA suggests the Trump administration work with Congress to address HIPAA preemption, recommending the enactment of a full HIPAA preemption, as varying state laws are currently creating complications for its members. Further, the AHA supports the removal of all remaining requirements under the Part 2 regulations, which are hindering access to important health information and impacting the ability of SUD providers to leverage AI tools for care delivery.

Regarding patient safety, the AHA recommends that trained clinicians be kept in the decision loop for algorithms that may impact access to care or care delivery, for consistent privacy and security standards for third-party vendors, and to implement policies that include post-deployment standards for AI healthcare tools to ensure the ongoing integrity of those tools.

The AHA has also stressed that infrastructure needs to be improved to support the adoption of AI tools. For instance, hospitals in rural areas often lack reliable broadband and Wi-Fi access, which has proven to be a barrier to digital services and the adoption of AI tools. Incentives should be aligned to support AI adoption, as inadequate reimbursement has meant that many providers do not have the necessary resources to invest in the infrastructure to support the adoption of AI tools. The AHA also encourages cross-agency collaboration to develop training and potential grant funding opportunities to support patient educational efforts on digital health tools.

The post American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare appeared first on The HIPAA Journal.

Only 23% of Ransomware Victims Pay the Ransom

The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.

Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.

When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption. While data can often be recovered from backups, the threat of publication of the data is often enough to see the ransom paid, in an effort to minimize reputation damage from an attack. According to Coveware, 76% of all attacks in Q3, 2025, involved data theft. There has been a growing trend of data theft-focused attacks, with some groups abandoning data encryption altogether. While extortion-only attacks are generally faster and stealthier, Coveware reports that data exfiltration attacks without encryption only have a ransom payment rate of 19% – a record low. That suggests that victims do not believe paying the ransom will result in their data being deleted.

The most common attack vectors frequently change, with phishing and social engineering the most common method of initial access in Q3, 2024, whereas in Q3, 2025, there was a sharp increase in remote access compromise, with phishing/social engineering dropping to around 18% of attacks, almost on a par with the exploitation of software vulnerabilities. Remote access compromise was behind almost 50% of attacks in Q3. Coveware reports that the distinction between different intrusion types is becoming increasingly blurred, such as remote access and social engineering. For example, attacks impersonating SaaS support teams or abusing helpdesk processes trick individuals into providing remote access. “The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms,” explained Coveware.

The two most active ransomware groups in Q3 – Akira (34%0 and Qilin (10%) – are both focused on high-volume attacks that yield relatively low rewards. While a logical response to fewer victims paying a ransom is to conduct even more attacks, Coveware believes it is more likely to trigger more targeted attacks on companies that have the means to pay large ransoms. As security postures have improved, attacks are becoming harder to pull off. One potential consequence is that attackers will focus once again on targeting employees to trick them into providing access, as well as recruiting insiders. Coveware has identified several attacks where employees have been bribed into providing remote access. In one case, the Medusa ransomware group attempted to recruit an employee of a large organization. Medusa promised to pay the employee 15% of any ransom generated if network access through the employee’s computer was provided.

While healthcare remains a lucrative target for ransomware groups, only 9.7% of attacks involving Coveware’s services affected healthcare organizations, putting the industry in joint second place with software services. Professional services was the most commonly attacked sector in Q3, accounting for 17.5% of attacks.

The post Only 23% of Ransomware Victims Pay the Ransom appeared first on The HIPAA Journal.