On average, businesses with 500 or more employees are losing an average of $19.5 million a year due to insider incidents, up 20% since 2023, according to the Cost of Insider Risks 2026 Report from DTEX, a provider of risk-adaptive security and behavioral intelligence. The highest insider costs were in the healthcare and pharmaceutical industries, which averaged $28.8 million in annual losses per company.

The report is based on independent research conducted by the Ponemon Institute on organizations in North America, EMEA, and Asia-Pacific with between 500 and 75,000 employees. The research includes interviews with 8,750 IT and IT security professionals in 354 organizations that experienced one or more material insider events. Organizations represented in the data experienced almost 7,500 insider incidents, with an average of 25 incidents per company.

DTEX breaks down insider incidents into three categories: malicious, non-malicious, and outsmarted. Malicious insider incidents include employees causing harm through espionage, sabotage, workplace violence, unauthorized disclosures, IP theft, and fraud. Non-malicious incidents include causing harm due to genuine mistakes, carelessness, or inattentiveness. The outsmarted category includes employees being reasonably outmaneuvered by an attack or adversary, such as a phishing attack.

Malicious insiders accounted for 27% of incidents ($4.7 million), and 20% of incidents ($4.5 million) were due to employees being outsmarted. By far the highest costs were due to non-malicious incidents caused by negligence. These incidents include careless mistakes that expose sensitive data and employees ignoring IT warnings. These incidents accounted for 53% ($10.3 million) of insider losses per company, up 17% year-over-year.

The increase in non-malicious insider losses has been driven by a rise in shadow AI incidents – the use of AI-based tools by employees without the knowledge or consent of IT departments. The other main losses due to negligence were the use of personal webmail and file-sharing sites.

Shadow AI-related incidents include employees uploading sensitive internal documents to AI tools such as ChatGPT, using AI notetakers that produce publicly accessible recordings and summaries containing sensitive information, and the use of AI browsers that enable access to malicious sites, AI-assisted torrenting, and NSFW content generation. The use of AI browsers and agents for performing tasks is also a major risk, as these tools are often granted access to corporate systems and bypass traditional controls and logging. While businesses can take action to prevent shadow AI use by blocking access to popular AI tools such as ChatGPT, in practice, it has little effect, as it just encourages employees to find other AI tools, which may carry even greater risks.

AI adoption has greatly accelerated; however, visibility and governance have failed to keep pace. Employees are using AI tools to improve productivity, but their behaviors are routinely exposing sensitive data. DTEX found that organizations routinely lacked insight into the AI tools that were being used by employees, the data that was entered into these tools, and the length of time that AI-generated artifacts remained accessible.

The interviews highlighted considerable concern around AI, with almost three-quarters (73%) of interviewed IT staff believing AI is creating invisible data exfiltration paths, and 44% believe malicious use of AI agents significantly or moderately increases the risk of data theft. Fewer than one in five respondents (18%) said they have fully integrated AI governance into their insider risk programs.

The report shows there has been an increase in the adoption of defensive AI, with 42% of organizations confirming that they have incorporated defensive AI into their insider risk management programs, and 71% of respondents believe behavioral intelligence is essential for combating insider incidents.

While the cost of insider incidents has grown, DTEX reports that a record low has been set for time to contain an incident. The latest report shows the average time to contain an incident has fallen from 86 days in 2023 to 67 days in 2025. The survey also shows a significant ROI on mature insider risk management programs, which allow organizations to prevent at least 7 insider incidents a year, saving them an average of $8.6 million in avoided breach costs.

“The results show real and meaningful progress at organizations with comprehensive and disciplined insider risk programs. Mature programs combined with modern tooling are clearly helping to prevent incidents before they occur. At the same time, the cost of insider risk continues to rise as their impact becomes more severe,” said DTEX CEO Marshall Heilman. “That contrast creates a powerful opportunity as AI becomes embedded across the workforce. Today, too few organizations classify AI agents as equivalent to human insiders, even as those agents operate with delegated authority, persistence, and reach. As a result, insider risk management and AI agent security are quickly converging. The same behavioral visibility and accountability that protect against insider risk must extend to AI systems. Organizations that apply those lessons will be better positioned to scale AI securely without sacrificing resilience in 2026 and beyond.”

The post Soaring Insider Breach Costs Driven by Shadow AI Use appeared first on The HIPAA Journal.

North Korean state-sponsored hackers are targeting U.S. healthcare organizations and non-profits and deploying Medusa ransomware, according to a joint investigation by Symantec and the Carbon Black Threat Hunter Team.

A wave of recent attacks has been linked to the Lazarus Group, an umbrella term covering multiple cyber threat actors linked to the Reconnaissance General Bureau (RGB) of the North Korean government. The Lazarus Group engages in attacks for espionage purposes, as well as disruptive and destructive attacks on targets primarily in South Korea, but also engages in financially motivated campaigns, often targeting organizations in the United States.

Medusa emerged in 2023 as a ransomware-as-a-service (RaaS) operation, which is believed to be run by a cybercrime group called Spearwing. Affiliates are recruited to conduct attacks using the Medusa encryptor and infrastructure in exchange for a percentage of any ransom payments they generate. Medusa actors engage in double extortion, stealing and encrypting data. A ransom must be paid to obtain the decryption keys and to prevent the leaking or sale of stolen data. Medusa often auctions off stolen data if the ransom is not paid, leaking data that has not been sold.

While North Korean state-sponsored hackers are known to have used Maui and Play ransomware in their financially motivated attacks, Symantec and Carbon Black Threat Hunter Team uncovered evidence that the Lazarus Group has started using Medusa in its ransomware campaigns. They identified an attack on a target in the Middle East, plus four attacks on healthcare organizations and non-profits in the United States since November 2025. U.S. victims include a non-profit mental health service provider and an educational facility for autistic children. Since November 2025, when the first Medusa ransomware attacks were attributed to the Lazarus Group, the average ransom demand is $260,000.

A Lazarus subgroup known as Stonefly (aka Andrael) is believed to be one of the groups involved in the attacks. Stonefly has previously focused on espionage attacks on high-value targets; however, for the past five years, the group has engaged in ransomware attacks, often against hospitals and other healthcare providers. The U.S. Department of Justice has indicted a suspected member of the group, the North Korean Rim Jong Hyok, on charges related to ransomware attacks on U.S. healthcare providers. Rim is alleged to be linked to the RGB and, along with other members of the group, is thought to be involved in ransomware attacks to raise funds for the group’s espionage activities.

Symantec and the Carbon Black Threat Hunter Team have not been able to attribute the attacks to any specific subgroup of Lazarus, but have found sufficient evidence confirming that Lazarus is behind the attacks. Symantec and Carbon Black have tracked more than 366 ransomware attacks involving the Medusa encryptor, although the group has claimed attacks on more than 500 organizations, including more than 40 healthcare organizations. Symantec and Carbon Black have shared indicators of compromise (IoCs) associated with the attacks, along with the range of tools used by the Lazarus group in its current ransomware campaigns.

The post North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector appeared first on The HIPAA Journal.

There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold.

Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion.

The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may involve deletion or encryption of backups, victims are now much more likely to have offline backup copies of critical data that they can use to recover from the encryption with minimal data loss. It is often the threat of sale or leaking of exfiltrated data that is the primary reason for paying a ransom, as organizations seek to limit reputational damage.

Data encryption increases the chances of detection, attacks take longer, and fewer victims are paying ransoms to recover encrypted data. Threat actors understand that the reputational harm caused by data leaks is often enough, and some groups have abandoned encryption altogether. For example, PEAR (Pure Extortion and Ransom), a newly formed threat group that emerged in 2025, has exclusively adopted data-only extortion, as has the Silent Ransom group.

The recently published Arctic Wolf 2026 Threat Report confirms that ransomware attacks continue to be lucrative for threat actors. Ransomware attacks accounted for 44% ofArctic Wolf’s incident response (IR) cases from November 2024 to November 2025, exactly the same percentage as the previous reporting period. While there have been significant law enforcement operations targeting the most prolific ransomware groups – LockBit, ALPHV/BlackCat, and BlackSuit – those actions have had little effect on reducing the volume of attacks, and have simply shifted the ransomware ecosystem. There has been a proliferation of smaller groups, and some groups have stepped up attack volume to fill the vacuum.

Arctic Wolf’s report highlights the growing trend of data extortion-only attacks, which increased elevenfold between November 2024 and November 2025.  Data extortion-only attacks increased from 2% of Arctic Wolf’s IR cases in the previous reporting period to 22% in the current reporting period. “We’re seeing a clear pivot in attacker behavior. As organizations improve their ability to recover from encryption events, some threat actors are skipping ransomware altogether and moving straight to data theft and extortion,” said Kerri Shafer-Page, VP of Incident Response, Arctic Wolf. “From an incident response perspective, this shift fundamentally changes how impact is assessed and managed.”

Arctic Wolf said the increase in data extortion-only attacks shows that threat groups are willing and able to evolve when needed, and attributes the rise in attacks to organizations being better prepared and able to recover quickly from traditional encryption events. Arctic Wolf reports that ransomware actors are maturing their affiliate ecosystems and are now operating very much like business enterprises, with structured affiliate programs, tiered revenue models, and operational support to attract and retain a broader pool of cybercriminals.

Arctic Wolf also reports a prominent trend of diversification of ransomware-as-a-service (RaaS) offerings, where, in addition to a percentage of any ransom payments, affiliates are offered data extortion and access monetization, allowing them to profit from stolen data and compromised credentials without having to encrypt files with ransomware. For the time being, at least, Arctic Wolf has not observed any significant increase in activity from groups with these offerings. What has had an immediate impact is groups absorbing affiliates from other RaaS programs, such as Qilin, which recruited affiliates from the RansomHub operation when it shut down, and rapidly accelerated attacks and became the most prolific threat group.

Aside from ransomware, Business Email Compromise (BEC) continues to be favored by hackers, accounting for 26% of Arctic Wolf’s IR cases, although the targets were primarily finance and legal firms, rather than healthcare organizations. While phishing is the leading initial access vector for BEC attacks, other hacking incidents mostly involved attacks on remote access tools, remote monitoring and management software, and VPNs. These access vectors were used in around two-thirds of non-BEC IR cases, up from 24% three years ago. The exploitation of vulnerabilities has fallen from 26% of IR cases in the previous reporting period to just 11% in the current reporting period.

The post Data Shows Elevenfold Increase in Data-only Extortion Attacks appeared first on The HIPAA Journal.

A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.

Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.

The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.

There was a surge in activity by the most prolific ransomware group – Qilin – in 2025, which claimed a total of 1,115 disclosed and undisclosed attacks. Qilin was behind two of the most impactful healthcare ransomware attacks of the year – ApolloMD and Covenant Health. The ransomware attack on ApolloMD was detected in May 2025, yet it took until February 2026 to confirm that the protected health information of more than 626,500 patients was compromised.

The attack on Covenant Health also occurred in May 2025. Initial access was gained on May 18, 2025, and, as was the case with the attack on ApolloMD, sensitive data was rapidly identified and exfiltrated. The Covenant Health attack was detected on May 26, 2025, when the affected systems were shut down to contain the incident. Disruption continued into June, and the attack was initially disclosed a month later, although the initial breach report suggested that the protected health information of just 7,864 individuals was compromised in the incident. As the investigation progressed, it became clear that data theft was far more extensive. In December 2025, when the investigation concluded, Covenant Health confirmed that 478,188 patients had been affected.

Akira was the second-most active group, claiming a total of 776 victims in 2025, with the third most active group – Play – accounting for 405 ransomware attacks. Black Fog identified the emergence of large-scale, AI-enabled attacks last year, when a ransomware group hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – the first time that an AI-led ransomware campaign has been identified.

“The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization, or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt,” Dr Darren Williams, Founder and CEO of BlackFog said. “The disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”

The post Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY appeared first on The HIPAA Journal.

The Federal Bureau of Investigation (FBI) has launched a campaign to improve the resilience of industry, government, and critical infrastructure against cyber intrusions. Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) is tied to the National Cyber Strategy and the FBI Cyber Strategy, which views industry, government, and critical infrastructure as partners in detecting, confronting, and dismantling cyber threats.

“Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.” Operation Winter Shield provides a practical roadmap for securing information technology and operational technology environments, hardening defenses, and reducing the attack surface. The campaign has kicked off with 10 recommendations developed with domestic and international partners to improve defenses against current cyber threats. The recommendations reflect current adversary behavior and common security gaps identified in recent investigations of cyberattacks.

The ten recommendations cover high-impact measures for reducing cyber risk by improving resilience and reducing the attack surface. Over the following 10 weeks, the FBI will publish further information and guidance on these cybersecurity measures:

1. Adopt phishing-resistant authentication – Many data breaches start with credentials stolen in phishing attacks.
2. Implement a risk-based vulnerability management program – Threat actors often exploit known, unpatched vulnerabilities in operating systems, software, and firmware for initial access.
3. Track and retire end-of-life tech on a defined schedule – End-of-life software and devices are often targeted as they no longer receive security updates.
4. Manage third-party risk – Security is only as good as the weakest link, which is often the least-protected vendor with network or data access.
5. Protect and preserve security logs – Security logs are essential for detection, response, and attribution, and are often deleted by threat actors to hide their tracks.
6. Maintain offline immutable backups and test restoration – Resilience depends on backups and tested recovery.
7. Identify inventory and protect internet-facing systems and services – Eliminate any unnecessary exposure and reduce the attack surface.
8. Strengthen email authentication and malicious content protections – Email is one of the most common initial access vectors and must be adequately secured.
9. Reduce administrator privileges – Persistent administrative access enables rapid escalation when credentials are compromised.
10. Exercise incident response plans with all stakeholders – Testing the response plan will allow organizations to respond rapidly and reduce the impact of a successful compromise.

Source: Federal Bureau of Investigation.

The post FBI Urges Organziations to Take 10 Actions to Improve Cyber Resilience appeared first on The HIPAA Journal.

An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.

The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.

HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.

The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.

HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.

Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.

HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.

HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.

“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”

Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:

• Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
• Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
• Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
• Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
• Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit

The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.

Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024.

Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common.

Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure organizations to take decisive action against insider threats, and has published a new resource specifically developed for critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments to help them assemble a multi-disciplinary insider threat management team. The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.

Insiders have institutional knowledge and legitimate access rights, allowing them to easily access and steal sensitive data, and detecting insider breaches can be a challenge. Insider incidents can cause significant harm to healthcare organizations, including reputational damage, revenue loss, and harm to people and key assets. “Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond,” explained CISA.

“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”

Combating insider threats requires an insider threat mitigation program that includes physical security, cybersecurity, personnel awareness, and partnerships with the community, and assembling a multi-disciplinary insider threat management team is a critical part of that process. The threat management team should oversee the insider threat management program, monitor for potential threats, and act quickly to mitigate the consequences of negligent and malicious insider actions. With an effective insider threat management team in place, organizations can reduce the damage and frequency of insider threat incidents.

A threat management team will be far more effective than any one individual, with teams able to be scaled and adjusted in scope and capability as the organization matures and evolves. Having a range of insider threat subject matter experts will allow the organization to obtain varied perspectives and generate more accurate and holistic threat assessments. Team members should include threat analysts, general counsel, human resources, the CISO, CSO, as well as external parties, including investigators, law enforcement, and medical or mental health counselors.

In the guidance, CISA offers a framework consisting of four stages – Plan, Organize, Execute, and Maintain (POEM). The Plan stage allows the organization to structure and scope the role of the threat management team. The Organize phase involves the team guiding employee awareness, creating a culture of reporting, and providing the necessary support to relevant departments to identify potential insider threat activity. The Execute phase involves upholding the insider threat mitigation program, and the Maintain phase is concerned with developing the threat management team to ensure it remains effective over time.

“Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla.

The post CISA Issues Guidance for Proactively Defending Against Insider Threats appeared first on The HIPAA Journal.

An unwanted new record was set in 2025 for data compromises, which increased by 4% from the record-breaking total in 2024, according to the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organization dedicated to helping victims of data breaches, scams, and identity theft. ITRC also offers education to help consumers protect themselves against identity theft and fraud. ITRC tracks data compromises, which include data breaches, data leaks, and accidental exposures of sensitive consumer data.

The record total of 3,332 data compromises in a year represents a 79% increase in just five years, and the third successive year when more than 3,000 data compromises have been identified. While the historic high is concerning, there is at least some good news, as the number of individuals affected by data compromises has fallen sharply to the lowest annual total since 2014. Across the 3,332 data compromises, 278.8 million individuals were affected, down from 2024’s shockingly high total of 1.36 billion. The relatively low total is due to a lack of mega data breaches, which have been a regular feature over the past few years.

An ITRC poll of 1,000 U.S. consumers revealed 80% received at least one breach notice in the past year, and two-fifths received between three and five different notices. Out of the individuals who received a notice about a data breach, 88% said they experienced one or more negative consequences, such as an account takeover, an increase in spam emails and phishing attempts, or mental health issues.

Worryingly, the frequency with which data breach notices are being received is leading to breach fatigue. Out of the people who did nothing after receiving a notice, 48.3% said they had breach fatigue from so many notices, 46.1% said they had feelings of helplessness because they felt they couldn’t do anything about it, 41.6% said they did nothing because they felt from the language of the notification that the breach was not serious to warrant any action, and 36% said they didn’t trust the notice and thought it was a scam.

Out of the 3,332 data compromises, 2,928 were data breaches, involving 232,726,796 victim notices, 24 were data exposures involving 527,894 victim notices, and there were 366 unknown compromises, involving 1,584,024 victim notices. Four of the data compromises involved previously compromised data. The largest confirmed data compromises of the year (based on victim notices) occurred at PowerSchool (71.9 million), AT&T (44 million), Aflac (22.7 million), Prosper Funding (17.6 million), and Conduent Business Services. The number of individuals affected by the Conduent data breach has yet to be confirmed, but it was a massive data breach, affecting 14.7 million individuals in Texas alone.

Financial services remained the most targeted sector, with 739 confirmed data compromises, and the healthcare sector took second spot, with 534 confirmed compromises, down slightly from 2024’s 537 compromises. Professional services was the third most targeted sector with 478 compromises, followed by manufacturing (299) and education (188).

ITRC draws attention to a five-year trend of threat actors increasingly targeting static identifiers, which facilitate long-term fraud. Social Security numbers were involved in two-thirds of data breach reports in 2025, with one-third involving either bank accounts or driver’s license numbers. Between 2021 and 2025, the number of compromises involving Social Security numbers almost doubled, driver’s license data breaches increased by 139% over the same period, and bank account information breaches increased by 168%.

ITRC warns of the increasing risk from supply chain data breaches, which in the space of a year almost doubled from 660 affected entities in 2024 to 1,251 affected entities in 2025, despite the number of attacks only increasing by one year-over-year. From 2021 to 2025, supply chain breaches doubled and now account for 30% of all breaches involving at least one third party.

For several years, ITRC has highlighted the growing trend of breached entities failing to provide consumers with adequate information about a data breach, preventing them from making an informed decision about the amount of risk they face from their data being exposed. For instance, a healthcare provider states in a breach notice that there has been a data incident involving protected health information, which was potentially subject to unauthorized access, when the reality is that a ransomware group has not only exfiltrated their data, but also posted the data on the dark web, where it can be downloaded free of charge by anyone.

ITRC said that in 2020, almost 100% of data breach notifications provided the root cause of the data breach in their notices, whereas in 2025, only 30% did. In the space of a year, the percentage of notices withholding the attack vector details increased from 65% in 2024 to 70% in 2025. “Businesses should prioritize transparency over liability mitigation,” urged James Lee, ITRC president.

The post U.S. Data Compromises Hit Record High in 2025 appeared first on The HIPAA Journal.