Verizon: Healthcare Sector Facing Sustained, Multi-vector Attacks

Posted by Steve Alder

Verizon has published its 2026 Data Breach Investigations Report, which shows that the healthcare sector continues to be targeted by cybercriminal groups. The sector is having to contend with sustained multi-vector attacks, including ransomware, unpatched vulnerabilities, and human error. Regardless of the cause, the attacks are putting patient privacy, safety, and care at risk.

Verizon tracked 1,492 healthcare incidents for its 2026 report, including 1,438 confirmed data disclosures, a majority of which were due to ransomware-driven system intrusions achieved through multiple attack vectors, including the exploitation of vulnerabilities (20%), phishing attacks (14%), stolen credentials (11%), and employee errors (11%). Threat actors are being given far too big a window of opportunity to exploit known vulnerabilities. Verizon found that in 2025, only 26% of critical vulnerabilities were fully remediated, with a median time for resolution stretching to 43 days. In healthcare, where complex legacy systems are the norm, the window of opportunity is greater, giving threat actors a wide attack window.

While external actors accounted for the majority of incidents, insider breaches remain common in healthcare. Internal actors were behind 19% of breaches. As Verizon notes, human error continues to be a chronic source of breaches. The human element was involved in 54% of incidents, including misconfigurations, misdirected communications, the loss/theft of unencrypted devices, and poor cyber hygiene.

The most common human-related cause of healthcare data incidents was misdelivery, which accounted for around 40% of incidents, followed by loss incidents at around 25%, and misconfigurations at around 20%. While greater investment in cybersecurity will help to address the 81% of breaches due to external actors, security awareness training plays an important part in preventing data breaches. Employees need to be made aware of security fundamentals and be taught the importance of practicing good cyber hygiene. Social engineering was the third main cause of healthcare breaches in 2025, the majority of which were due to phishing, followed by pretexting – these attack techniques need to be covered in depth in training courses.

Around 32% of healthcare data breaches involved third parties, so applying the security fundamentals internally is only part of the solution. Healthcare organizations must also ensure that they bake security into their contracts with business associates and suppliers. The proposed update to the HIPAA Security Rule, a final rule for which is expected at some point this year, will help to reduce the number of third-party breaches through more prescriptive security requirements for business associates and requiring greater vendor oversight by covered entities to ensure that security measures are implemented.

Each year, the number of real-world security incidents analyzed by Verizon continues to increase, and this year was no exception. The report covers more than 31,000 incidents, including 22,000 confirmed data breaches. GenAI tools are increasingly used by threat actors to accelerate and increase the volume of attacks. GenAI is being used at various stages of the process, including choosing targets, researching vulnerabilities, developing malware, gaining a foothold in networks, and making their campaigns more efficient and effective.

Overall, across all sectors, system intrusions continue to be the top breach pattern, with ransomware the primary driver. Last year, stolen credentials were the top entry point, but this year, this long-standing common attack vector has been overtaken by vulnerability exploitation. This is the first time in Verizon’s 19 years of producing its DBIR reports that vulnerability exploitation has topped the list. Verizon attributes this change to the use of AI by attackers, which has helped them accelerate the time to exploit known vulnerabilities. Defenders now have far less time to remediate vulnerabilities. While the time from disclosure to exploitation used to be measured in months, vulnerabilities are now being exploited in hours.

Ransomware continues to be a key driver of intrusions. Ransomware-related intrusions grew in volume again and now account for 48% of all breaches, up from 44% last year, although the percentage of victims paying a ransom is decreasing, as is the median ransom payment. In the past year, 69% of victims chose not to pay the ransom, and the median ransom payment fell from $150,000 to $139,875.

Awareness about email phishing has grown, making this attack technique less successful. Threat actors have responded by pivoting to mobile-centric social engineering techniques such as text messages (smishing) and voice phishing (vishing), where the success rate is 40% higher than traditional email phishing. Verizon warns that the easy availability of GenAI tools is creating a significant data security risk. Employees are increasingly using genAI tools without the knowledge or approval of the IT department. The massive increase in shadow GenAI use creates a significant risk of data exfiltration through unapproved platforms. This is particularly concerning for regulated sectors such as healthcare.

“While the velocity of cyber threats—driven by AI and faster vulnerability exploitation—is increasing, the foundational principles of security and strong risk management remain the most effective defense,” said Daniel Lawson, SVP Global Solutions, Verizon Business. “The DBIR reinforces that these fundamentals still hold as organizations strive for resilience.”

The post Verizon: Healthcare Sector Facing Sustained, Multi-vector Attacks appeared first on The HIPAA Journal.

HHS Announces Restructuring of Office for Civil Rights

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) has announced it is restructuring its Office for Civil Rights (OCR), which will split into three divisions, each with specific responsibilities. HHS has recreated the Conscience and Religious Freedom Division (CRFD), which was established in January 2018 under the first Trump administration and operated until March 2023, when it was disbanded by the Biden administration. The Civil Rights Division has also been reestablished, following the amalgamation of both into the Policy Division under the Biden administration.

CRFD is tasked with raising awareness of religious freedom laws and ensuring religious liberty, combating antisemitism and anti-Christian bias, and enforcing conscience protections. OCR enforces civil rights laws, including those that prohibit discrimination on the basis of race, color, national origin, sex, disability, age, or membership in patriotic youth organizations. These responsibilities will be handled by the Civil Rights Division, which will focus on addressing race-based discrimination in a color-blind manner and restoring biological truth.

The Trump administration has focused on these areas during the second term, after being deprioritized under the Biden administration. “This reorganization… strengthens the Office for Civil Rights’ ability to defend religious liberty, enforce conscience protections, and combat unlawful discrimination,” said HHS Secretary Robert F. Kennedy, Jr. “Under President Trump’s leadership, HHS will defend these rights with clarity, accountability, and resolve.”

The Health Information Privacy, Data, and Cybersecurity Division makes up the trifecta and is tasked with handling HIPAA enforcement, including investigations of breaches of unsecured protected health information and health information privacy complaints, both of which have soared in recent years. This enforcement division will continue to support centralized intake and field office execution.

Early in the latest term, there was a major reduction in HHS staffing as the Department of Government Efficiency (DOGE) targeted the department. HHS lost around 20,000 staff members through a combination of eliminated positions, early retirements, and voluntary redundancies. Several field offices were also closed. OCR has been struggling to operate with a limited budget, an increasing workload, and a smaller workforce than in previous years. OCR currently has 116 full-time staff, and while the fiscal year budget would see the department’s workforce increased to 144 full-time staff members, that is significantly fewer than in the early 2020s. It is slightly reassuring that the HHS has confirmed that the restructuring will not involve any further reductions in OCR’s workforce.

Where OCR’s resources will be focused remains to be seen. Large healthcare data breaches increased in 2025, and the complaint volume continues to grow, which is stretching OCR’s resources for health information privacy investigations further still. Healthcare data breaches continue to occur in high numbers; however, the speed at which data breach reports are verified and added to its data breach portal has slowed considerably. OCR had to contend with a lengthy government shutdown last year, with all but essential work coming to a grinding halt. Even accounting for this disruption, the pace has slowed, suggesting health information privacy investigations are a lower priority than under the current administration.

OCR is still working on an update to the HIPAA Privacy Rule, a Notice of Proposed Rulemaking (NPRM) for which was issued by OCR during President Trump’s first term, and an update to the HIPAA Security Rule, the NPRM for which was published in the Federal Register in January 2025 by OCR under the Biden administration. OCR set a provisional timetable for a May 2026 release of a final rule for the HIPAA Security Rule update. OCR has remained tight-lipped about when these regulatory changes will be finalized. They may be delayed if resources are diverted to the CRFD and Civil Rights Divisions.

“This reorganization reinstitutes a structure that rightly prioritizes civil rights and conscience and religious freedom alongside health information privacy and security,” said HHS Office for Civil Rights Director Paula M. Stannard. “All three areas are deserving of subject-matter expertise and distinct senior executive leadership for OCR to best serve the American people.” In the announcement about the restructuring, OCR said it will publish further information in the Federal Register later this month.

The post HHS Announces Restructuring of Office for Civil Rights appeared first on The HIPAA Journal.