The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

A recent survey of U.S. healthcare IT and cybersecurity professionals found that 93% of the surveyed organizations had experienced at least one cyberattack in the past 12 months, and 72% of those reported that the attacks caused disruption to patient care. The negative impacts were typically delayed intake, increased hospital stays, and increased complications from medical procedures, with 29% of respondents reporting an increase in mortality rate. The problem is getting worse, as last year, 69% of healthcare organizations said cyberattacks had negatively impacted patient care.

The survey was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 677 healthcare IT and cybersecurity professionals in the United States. The findings are published in Proofpoint’s report: The 2025 Study on Cyber Insecurity in Healthcare, which looks specifically at the effectiveness of reducing human-targeted cybersecurity risks in the healthcare industry and the cost and impact of cyberattacks on patient safety and care.

Out of the 93% of organizations that experienced a cyberattack, 43 attacks were experienced on average, up from 40 last year. The survey showed that 96% of healthcare organizations experienced at least two incidents involving data loss or exfiltration of patient data, with the majority of respondents reporting that those incidents had a negative impact on patient care.

“Patient safety is inseparable from cyber safety,” said Ryan Witt, vice president of industry solutions at Proofpoint. “This year’s report highlights a stark reality: Cyber threats aren’t just IT issues, they’re clinical risks. When care is delayed, disrupted, or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.”

The report is based on four categories of cyberattacks: cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC)/spoofing/impersonation incidents. Supply chain attacks had the biggest impact on patient care, with 87% of victims of supply chain attacks reporting negative impacts such as delayed procedures, poorer outcomes, and increased complications.

When asked about the cost of the single most expensive cyberattack, the answers ranged from $10,000 to more than $25 million, with an average cost of $3.9 million, down from the 2024 average of $4.7 million. The biggest cost was operational disruption, which cost an average of $1,210,172, down 17.6% from last year. Idle time and lost productivity fell by 13.7% year-over-year to an average of $858,832. The average cost of correcting the impact on patient care fell by 21.5% to $853,272, the cost of damage to IT assets and infrastructure fell by 13.8% to $711,060, and the cost of remediation and technical support activities fell by 28.6% to $507,491.

There has been a significant increase in ransomware incidents, which rose from 60% in 2024. While costs are down overall, the cost of ransomware attacks increased from an average of $1.1 million in 2024 to $1.2 million in 2025. The percentage of victims paying the ransom has continued to fall, with 33% of victims choosing to pay compared to 36% last year.

The adoption of AI for security and migration of data to the cloud were the most common protective strategies adopted by healthcare organizations. The survey revealed that 75% of healthcare organizations have or plan to move clinical applications to the cloud, and 30% of respondents use AI for security. The respondents who have adopted AI for security claim the tools are very effective, although 60% said they struggle to protect sensitive data used by AI systems, and the adoption of AI tools is being hampered by interoperability issues and data accuracy problems.

Human error was a key factor in data loss/data exfiltration incidents, with 35% of respondents reporting that data loss was caused by employees not following policies. One-quarter reported data due to privilege access abuse, and one-quarter said it was due to an employee sending PHI to an incorrect recipient. The human factor in cyberattacks is an area being addressed by 76% of organizations. Out of those, 63% said they have regular training and security awareness programs, 51% are monitoring the actions of employees, and 47% are conducting phishing simulations.

“This report underscores the urgent need for healthcare organizations to adopt a human-centric cybersecurity approach—one that not only protects systems and data but also preserves the continuity and quality of care,” said Witt. You can view/download the report here.

The post 72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks appeared first on The HIPAA Journal.

A zero-day vulnerability in Oracle E-Business Suite is under active exploitation by the Cl0p ransomware group. The vulnerability is tracked as CVE-2025-61882 and has a CVSS base score of 9.8 out of 10. The flaw is present in the BI Publisher Integration component of Oracle’s Concurrent Processing product within the Oracle E-Business suite, and can be exploited remotely by an unauthenticated attacker, leading to remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP and will allow Oracle Concurrent Processing to be compromised.

Google’s Threat Intelligence Group and Mandiant first warned about attacks exploiting the vulnerability on October 2, 2025, when organizations started reporting that they had received demands for payment from the Cl0p threat group. Oracle published a security advisory about the vulnerability on October 4, 2025, and released a patch to fix the flaw. CrowdStrike believes with moderate confidence that a threat group tracked as Graceful Spider is mass exploiting the vulnerability.

Graceful Spider is a Russia-linked threat group known to conduct attacks with the Cl0p group. The vulnerability has been exploited in the wild since at least August 9, 2025, and a proof-of-concept exploit for the vulnerability has been published by the threat group Scattered LAPSUS$ Hunters. The threat intelligence firm WatchTowr has confirmed that the PoC exploit is real. Since valid exploit code is in the public domain, it is possible that multiple threat groups are now exploiting the vulnerability. WatchTowr reports that the exploit chain involves five separate bugs to achieve pre-authentication remote code execution, including some that were patched by Oracle in its July 2025 Critical Patch Update. WatchTowr explained that the exploit demonstrates a high level of skill and effort.

The vulnerability affects Oracle E-Business Suite versions 12.2.3 to 12.2.14, and may also exist in older, unsupported versions. Any organization that has Oracle E-Business Suite exposed to the internet is at risk, and given that the mass exploitation attempts have been ongoing for more than a month, there is a risk that the vulnerability has already been exploited and that the Cl0p group has yet to reach out to demand payment. According to the cybersecurity firm Resecurity, Cl0p has been reaching out to victims via compromised business email accounts and newly registered accounts.

Users of Oracle E-Business Suite should follow the advice in the Oracle security alert and ensure that they upgrade to a supported version and install the latest update. The update requires Oracle’s October 2023 Critical Patch Update to be applied before the patch for the CVE-2025-61882 vulnerability is applied. After applying the patch, Oracle E-Business Suite users should look for indicators of compromise to determine if the vulnerability has already been exploited. The IoCs have been shared in the above-linked Oracle security alert.

The post Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite appeared first on The HIPAA Journal.

A critical vulnerability in Fortra’s GoAnywhere MFT secure web-based file transfer tool is being actively exploited in Medusa ransomware attacks. According to Microsoft’s Threat Intelligence Team, the vulnerability is being exploited by a threat group it tracks as Storm-1175, which is known for deploying Medusa ransomware after exploiting vulnerabilities in public-facing applications.

The zero-day deserialization vulnerability is tracked as CVE-2025-10035 and has a maximum CVSS base score of 10. According to Fortra, a threat actor with a validly forged license response signature could deserialize an arbitrary actor-controlled object. Successful exploitation of the flaw can result in command injection without authorization, which can potentially lead to remote code execution. Fortra issued a security advisory about the flaw on September 18, 2025, and explained that the vulnerability affects the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3 and prior versions. The vulnerability has been fixed in version 7.8.4 and the Sustain release 7.6.3.

Microsoft detected attacks exploiting the vulnerability at multiple organizations on September 11, 2025, although the threat intelligence company watchTowr believes that attacks started on September 10, 2025, more than a week before Fortra issued its security alert. Microsoft has observed Storm-1175 dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence, and in some cases, creating .jsp files within GoAnywhere MFT directories.

The group establishes persistence, sets up secure C2 communications, and deploys additional tools and malware payloads to facilitate network discovery and lateral movement. The latter is achieved using mstsc.exe. The group identifies and exfiltrates sensitive data and has used Rclone for data exfiltration in at least one attack. After data exfiltration, the group deploys Medusa ransomware to encrypt files.

All users are advised to immediately ensure that the GoAnywhere Admin Console is not exposed to the Internet and to update GoAnywhere to the latest version. Since the vulnerability has been exploited since at least September 11, 2025, patching alone is not sufficient. After updating the software, users should investigate for signs of compromise. “Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” explained Fortra in its security alert.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog on September 29, 2025, and requires all federal civilian agencies to implement Fortra’s mitigations by October 20, 2025.

The post Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks appeared first on The HIPAA Journal.

Over the 12 months from March 2024 to March 2025, almost half of healthcare organizations experienced at least one data incident, such as a ransomware attack, hacking incident, or phishing attack, according to the cybersecurity firm Netwrix. For its 2025 Cybersecurity Trends Report, Netwrix surveyed 2,150 IT professionals from 121 countries in March 2025 and compared the findings to previous surveys conducted in 2024, 2023, and 2020.

Healthcare has long been targeted by threat actors due to the high value of patient records, and the fact that healthcare organizations cannot tolerate disruption, as it puts patient safety at risk. The sector is extensively targeted by ransomware groups as there is a higher probability that the ransom will be paid to prevent the publication of stolen data and ensure a fast recovery. In the past 12 months, 48% of healthcare organizations experienced at least one security incident that required a dedicated response from the security team.

Across all sectors, the number of organizations reporting no impact from security incidents is rapidly reducing. In 2023, 45% of respondents said there was no impact from security incidents, whereas in 2025 the percentage had fallen to just 36%. In 2024, 60% of organizations reported suffering financial damage due to cyberattacks, and the percentage jumped to 75% in 2025. Across all sectors, the number of organizations reporting financial damage of at least $200,000 almost doubled from 7% in 2024 to 13% in 2025.

Netwrix reports that four times as many healthcare organizations suffered financial losses of at least $200,000 in 2025 as in 2024. In 2024, only 2% of healthcare organizations experienced cyberattack-related losses of more than $500,000, compared to 12% in 2025. The report confirms that healthcare faces the biggest financial impact from cyberattacks. In 2025, 6% of all industries suffered cyberattack-related financial losses of more than $500,000, compared to 12% in healthcare.

The Netwrix survey revealed that almost one-third of healthcare organizations experienced security incidents involving compromised user/admin accounts. Phishing remains the most prevalent threat, and attacks are becoming harder to identify due to attackers’ use of AI tools for their phishing and social engineering campaigns. 37% of healthcare respondents said AI-driven threats require stronger defenses.

“Research strongly suggests that attackers are ahead in AI adoption, which is pushing defenders into a reactive posture. Indeed, 37% of survey respondents say AI-driven threats forced them to adjust — that’s a direct reaction to the offensive use of AI by adversaries, “ explained Jeff Warren, Chief Product Officer, Netwrix. “At the same time, 30% haven’t even started AI implementation and are in “considering” mode, indicating a significant lag in adoption. It’s fair to say that attackers are moving faster with AI, and defenders are scrambling to catch up. This asymmetry is not new in cybersecurity, but AI appears to be accelerating it.”

In 2025, the top three threats in the cloud and on-premises were the same. Phishing was the most common cause of security incidents (76% cloud; 69% on-premises), followed by user/admin account compromise (46% cloud; 45% on-premises), and ransomware and other malware attacks (30% cloud; 31% on-premises).

“Ransomware attacks on premises are becoming less frequent, while the rate for cloud infrastructure remains steady,” explained Warren. “As businesses shift critical operations and sensitive data to the cloud, attackers increasingly see cloud workloads as high-value targets worth encrypting or exfiltrating for ransom. And it’s a numbers game, too. Some attackers don’t target the cloud per se; they target everything. As more infrastructure moves to the cloud, the odds of hitting a cloud tenant go up.”

The main challenges for security teams are understaffed IT and security departments, a lack of budget for data security initiatives, mistakes/negligence by business users, and a lack of cybersecurity expertise within the IT and security teams.  Unsurprisingly, given the staffing problems at many organizations, one of the main priorities is the automation of manual IT processes, and while AI tools can help in this regard, it is important to ensure that the tools are not granted excessive privileges and that there is proper governance.

As AI adoption by cybercriminals accelerates, organizations need to respond. Warren suggests that organizations should double down on the basics of zero-trust networking and ensure they are adequately protecting their identity infrastructure, improving resilience by adopting an identity-first approach to protect accounts and the sensitive data they can access.

The post Healthcare Cyberattacks Costing $200K+ Rise 400% in a Year appeared first on The HIPAA Journal.

October is Cybersecurity Awareness Month – a global initiative that aims to educate the public and businesses about the importance of cybersecurity and protecting against cyber threats to systems and data.  The initiative is led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and this year’s theme is “Building a Cyber Strong America. The main focus this year is improving cybersecurity at the government entities and small and medium-sized businesses that operate and maintain the nation’s critical infrastructure, as well as the myriad of vendors and suppliers that support or are connected to critical infrastructure.

CISA is issuing a call to action to all critical infrastructure entities and vendors that support those entities to take steps to improve cybersecurity, starting with four essential steps to improve baseline security:

• Avoid phishing
• Use strong passwords
• Require multifactor authentication
• Update business software

Phishing is the initial access vector in many cyberattacks, providing threat actors with the credentials they need to access internal systems and data and conduct a comprehensive attack on the organization.  According to the cybersecurity firm SentinelOne, phishing attacks have increased by 1,265%, with that increase driven by the growth of GenAI. These attacks target employees and trick them into disclosing credentials, opening malicious email attachments, or clicking links that direct them to malicious sites where malware is downloaded. While technical defenses such as spam filters can reduce the number of threats that reach employees, it is vital to train the workforce on how to recognize and report suspicious emails.

A system is only as secure as the password used to protect it, so it is essential that passwords are used that are difficult to guess and are resistant to automated brute force attempts. According to Hive Systems, even a password consisting of 10 random numbers could be cracked in less than a day, compared to 803,000 years for a 10-character password consisting of numbers, upper and lower case letters, and special characters. Strong passwords should be mandatory for all users.

Even strong passwords are not sufficient by themselves, as while they may be difficult to brute force, they can be obtained by threat actors through phishing, for example. Multifactor authentication adds an additional layer of protection, ensuring that a password alone is not sufficient to access accounts, systems, and devices. Implementing multifactor authentication will significantly improve security, and where possible, phishing-resistant multifactor authentication should be implemented.

Threat actors target vulnerabilities in software and operating systems and exploit them to gain access to the networks of critical infrastructure entities and their vendors.  All business software and operating systems should be kept up to date, with patches and security updates applied promptly to fix vulnerabilities before they can be exploited. After completing these four essential steps to improve baseline security, the next step is to level up defenses through additional actions, such as implementing logging on all systems. Logs should be monitored for anomalous activity, including hacking incidents and insider threats.

Ransomware is one of the biggest threats, especially in healthcare. These attacks lock victims out of systems and prevent access to critical data, causing massive disruption to business operations. It is therefore essential to ensure that all critical information is backed up securely, as this will allow a fast recovery in the event of an attack. In addition to making multiple backups and securing one copy off-site, backups should be checked to ensure that file recovery is possible. A backup plan should also be developed to reach the recovery point in the shortest possible time frame.

Data encryption is another key protection to safeguard data at rest and in transit. If a threat actor gains access to files, the data cannot be viewed. Threat information sharing is also a key part of building a strong cyber America. By informing CISA about cyberattacks and sharing pertinent information, CISA can take steps to warn others and help them avoid similar threats.

Healthcare organizations should also consider implementing the cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services in collaboration with CISA. The CPGs set a floor of safeguards that will help prevent successful cyberattacks, and the enhanced CPGs help healthcare organizations mature their cybersecurity capabilities. The 2025 HIPAA Journal Annual Survey indicated a lack of awareness of these important CPGs.

“Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives,” said Acting CISA Director Madhu Gottumukkala. “Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services [that] sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.”

The post Cybersecurity Awareness Month 2025: Building a Cyber Strong America appeared first on The HIPAA Journal.

There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.

On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.

One of the most active ransomware groups this year has been Interlock, which has attacked many healthcare organizations. In a concerning development, Interlock has been observed stealing cyber insurance policies and using them to benchmark and set higher ransom demands. In at least two ransomware attacks, the threat actor referenced the victim’s cyber insurance policy in the ransom demands, and in at least one case, set the ransom demand to just below the policy payout limit.

Resilience warns that cyberattacks are increasing in sophistication and that AI is increasingly being leveraged for social engineering and phishing campaigns. Social engineering and phishing attacks were linked to 88% of incurred losses in H1, 2025. AI-assisted phishing campaigns are more difficult for users to identify and for organizations to block. The success rate of traditional phishing and social engineering attempts is 12%, compared to 54% for AI-assisted attacks. Resilience reports that 1.8 billion credentials were compromised in H1, 2025 alone, an increase of 800% since January 2025. Social engineering and phishing stood out as leading causes of attacks, along with the inadvertent disclosure of sensitive data due to errors made using tracking technologies.

HIPAA Security Rule Compliance May Not Sufficiently Reduce Risk

Resilience cited one example of a healthcare provider that had invested significantly in cybersecurity yet still fell victim to an attack. The investigation revealed that while reasonable decisions had been made concerning cybersecurity, there were naturally trade-offs due to budgetary constraints. Those tradeoffs meant vulnerabilities were created that were ultimately exploited. Despite investing in cybersecurity, the organization’s risk assessments had not been updated in around four years, which is an aspect of compliance that the HHS’ Office for Civil Rights is actively enforcing due to its importance on security posture.

While the organization initially tested its endpoint protection to ensure it was effective, there was no routine testing after implementation to ensure those measures continued to provide adequate protection. Vendor risk management largely consisted of checks of security policy documents, rather than active monitoring, which only occurred for a few vendors. Incident response plans and disaster recovery exercises failed to consistently meet the organization’s recovery objectives, but the issue was not addressed due to limited resources and competing priorities. Gaps were identified in its backup procedures, as the threat actor was able to encrypt clinical images that had been missed from backups. That gave the threat actor significant leverage in ransom negotiations. The organization found that its assumed security posture bore little resemblance to its actual defensive capabilities.

Cybersecurity Recommendations for Healthcare Organizations

Naturally, there will be cybersecurity tradeoffs with budgetary restrictions, but the security gaps identified in that case study are all too common in healthcare. Resilience suggests that these security gaps are often a consequence of a focus on HIPAA compliance. The problem is that HIPAA only sets baseline standards for security, and the HIPAA Security Rule is more than 2 decades old.  A focus on compliance may help avoid regulatory penalties, but may not effectively reduce risks or adequately protect against modern threats.

“Organizations deploying disconnected security tools without strategic coordination create gaps between systems, while annual assessments become check-box exercises using outdated measures of effectiveness,” suggests Resilience. “Effective healthcare cybersecurity requires quantifying cyber risks in financial terms rather than relying on subjective ratings. Loss exceedance curves model potential impacts based on organization-specific factors, enabling leaders to understand exactly what risks could cost in business disruption, recovery expenses, and regulatory fines. When expressed financially, security discussions shift from technical justifications to strategic investment decisions.”

Based on its analysis of the current threat landscape, Resilience recommends healthcare organizations prioritize the following areas to improve their cybersecurity posture and limit the harm of a successful attack

• Implement a comprehensive backup strategy with particular attention to imaging files, databases, and system configurations
• Ensure regular tests are conducted to validate recovery capabilities and timeframes under realistic attack scenarios
• Treat your cyber insurance policy as part of your crown jewels, and ensure it is properly secured
• Implement robust training programs that address phishing, social engineering, and proper data handling procedures
• Ensure there is continuous monitoring of third-party vendors’ security postures
• Adopt methodologies that translate cyber risks into financial terms to allow leadership to make informed investment decisions based on actual risk reduction potential rather than compliance
• Implement and regularly test your incident response plan, including patient safety considerations and regulatory notification requirements

The post Cyber Insurance Claims Fall But Ransomware Losses Increase appeared first on The HIPAA Journal.

Microsoft has announced the seizure of hundreds of websites used by a popular phishing-as-a-service (PhaaS) operation that targets Microsoft 365 credentials. The operation’s phishing kits have been used to steal at least 5,000 usernames and passwords, including the Microsoft 365 credentials of at least 20 U.S. healthcare organizations.

According to the Microsoft Digital Crimes Unit (DCU), RaccoonO365 is the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. The PhaaS operation provides subscription-based phishing kits, which generate phishing emails mimicking official communications from Microsoft. The emails direct victims to websites that trick victims into disclosing their Microsoft 365 credentials. The phishing kits lower the barrier to conducting phishing campaigns and can be used by even low-skilled individuals to steal credentials.

RaccoonO365 has been offering phishing kits to cybercriminals since at least July 2024. Subscribers are able to use the infrastructure to send up to 9,000 phishing emails per day. A 30-day subscription costs less than $12 per day, and under $10 per day for a 60-day subscription. The phishing kits utilize sophisticated techniques to steal credentials and bypass multi-factor authentication. Recently, RaccoonO365 added a new service that utilizes AI to scale operations and increase the sophistication and effectiveness of phishing campaigns.

The stolen credentials can provide access to accounts and sensitive data; however, they are commonly used to gain a foothold to launch more comprehensive attacks on victims, often leading to malware and ransomware downloads. The attacks have resulted in significant financial losses for healthcare providers and have disrupted critical patient care, putting patients at risk of harm. In addition to the attacks on healthcare organizations, RaccoonO365’s phishing kits were used for an extensive tax-themed phishing campaign that targeted more than 2,300 U.S. organizations worldwide.

MCU identified the leader of the operation, Joshua Ogundipe, who resides in Benin City in Nigeria. Ogundipe has a background in computer programming and is believed to have authored the bulk of the code for the phishing kits. Ogundipe was identified following a security lapse, which allowed MCU to identify a secret cryptocurrency wallet used by Ogundipe. Ogundipe, along with his associates, marketed and sold the RaccoonO365 phishing kits on Telegram and collected more than $100,000 in subscription payments. MCU estimates that between 100 and 200 subscriptions were sold, although that range is likely to be underestimated. Based on that range, subscribers could send between 900,000 and 1.8 million phishing emails per day. MCU’s intelligence has been shared with international law enforcement

Microsoft and Health-ISAC filed a lawsuit in the U.S. District Court for the Southern District of New York against Ogundipe and four John Doe conspirators seeking recovery of damages and the seizure of domains used by the operation. The allegations against the defendants include violations of the Computer Fraud and Abuse Act, Racketeer Influenced and Corrupt Organizations (RICO) Act, and the Electronic Communications Privacy Act.

The DCU investigation identified 338 sites used by the operation, which were seized after a court order was granted. Cloudflare assisted with the seizure of the domains. The domain seizures have caused considerable disruption to RaccoonO365’s operation. “To counter RaccoonO365, we acted swiftly to protect our customers and prevent further harm. But criminals constantly evolve, so Microsoft is evolving too,” explained Steven Masada, Assistant General Counsel and Director of Microsoft’s Digital Crimes Unit. “For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations. These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence.

The post Microsoft Seizes Sites Used by Popular Phishing Operation to Attack Healthcare Orgs appeared first on The HIPAA Journal.