More Than Half of Healthcare Orgs Attacked with Ransomware Last Year

Posted by Steve Alder

A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.

The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.

A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.

The lower rate of ransom payment in healthcare may be due to genuine concerns that the attackers will not be true to their word. The ransomware attack on Change Healthcare last year made that clear. A $22 million ransom was paid to the BlackCat ransomware group to delete the stolen data; however, after pulling an exit scam, the affiliate behind the attack retained a copy of the data and attempted extortion a second time through a different group, RansomHub. Further, law enforcement operations against LockBit found the group lied about data deletion. Copies of stolen data were found on servers after the ransom was paid. Payment of a ransom is also no guarantee that data can be recovered. On average, 15% of companies that paid the ransom did not receive usable decryption keys, and a further 3% found that their data had been published or misused even when payment was made.

Ransomware groups have been observed adopting more aggressive tactics to increase pressure on victims. Falling profits have prompted some groups to start contacting patients of an attacked healthcare provider directly to increase pressure and get the ransom paid, or in some cases, patients have been extorted. Ransomware groups have threatened to file complaints with regulators, such as the Securities and Exchange Commission (SEC). According to Semperis, 47% of attacks involved threats of regulatory complaints, and 41% of attacks on healthcare organizations. In 62% of healthcare attacks, the threat actor threatened to release private or proprietary data. There is also a growing trend of physical threats against staff members, which occurred in 40% of attacks across all sectors, and 31% of attacks on healthcare organizations.

“With the introduction of generative AI and the fast development of agentic AI attacks, creating more advanced tools with more destructive impact is easier, so threat actors no longer need a lot of money and resources to create those tools,” said Yossi Rachman, Semperis Director of Security Research. “As a result, even a drop in ransom payments will not necessarily stop attack groups from proliferating and conducting more effective and frequent attacks.”

Semperis found that organizations are getting better at detecting and blocking attacks, but when attacks occur, they can cause considerable harm. For 53% of healthcare victims, recovery took from a day to a week, with 31% of attacked healthcare organizations taking between one week and one month to fully return to normal operations. The main business disruptions were data loss/compromise, reputational damage, and job losses. In one attack this year, a healthcare provider permanently closed the business after a ransomware attack.

The biggest challenges faced in healthcare were the frequency and sophistication of threats, attacks on identity systems, and regulatory compliance. 78% of victims said attacks compromised their identity infrastructure, yet only 61% maintained a dedicated AD-specific backup system. Semperis strongly advises companies to implement technology to protect IAM infrastructure, since this is the #1 target. It is also important to document, train, and test to improve the response to a ransomware attack, as an attack is almost inevitable.

“Train for the day you are attacked,” advises Rachman. “See that everybody knows exactly what they should do, which systems, processes, and tools need to be involved, and do that every six months.” Further, when cybersecurity has been improved, it is necessary to evaluate the security of partners and supply chain vendors, as even with excellent security, supply chain vulnerabilities could easily be exploited.

The post More Than Half of Healthcare Orgs Attacked with Ransomware Last Year appeared first on The HIPAA Journal.

Trump Administration Announces Plan to Improve Patient Data Sharing

Posted by Steve Alder

This week, the Trump Administration announced a new initiative aimed at improving interoperability and the exchange of healthcare data, and has obtained pledges from leading healthcare and technology firms to create a foundation for a next-generation digital health ecosystem, which will improve patient outcomes, reduce provider burden, and drive value.

The initiative was announced during a HHS’ Centers for Medicare & Medicaid Services (CMS) hosted White House event dubbed “Make Health Tech Great Again,” and follows years of bipartisan efforts to improve interoperability and eradicate information blocking to improve the quality of care and eliminate waste. “For decades, bureaucrats and entrenched interests buried health data and blocked patients from taking control of their health,” said HHS Secretary Robert F. Kennedy, Jr. “That ends today. We’re tearing down digital walls, returning power to patients, and rebuilding a health system that serves the people. This is how we begin to Make America Healthy Again.”

At the event, the CMS fleshed out its plan, which includes voluntary criteria for trusted, patient-centered, and practical data exchange for all network types: health information networks, exchanges, electronic health records (EHR), and tech platforms. The effort is focused on two key areas: promoting a voluntary CMS Interoperability Framework that will allow data to be easily shared between patients and providers, and making personalized tools available to give patients the information and resources they need to make better health decisions. Under the initiative, more than 60 companies have pledged to work collaboratively to deliver results by the first quarter of 2026, including tech firms such as Amazon, Anthropic, Apple, Google, and OpenAI.

The initiative has been welcomed by the HHS’ Office for Civil Rights (OCR), which for several years has had a HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access. Under that initiative, more than 50 healthcare providers have paid financial penalties for failing to provide patients with timely access to their medical records, as required by the HIPAA Privacy Rule. While patients can receive copies of their health records under HIPAA, there are still barriers to sharing that information with others. Under this initiative, tools will be made available to make data sharing as simple as providing a QR code to a new healthcare provider to transfer medical records.

“[OCR] supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

More than 21 networks have agreed to adopt the voluntary criteria to become CMS-aligned networks, and 30 companies have pledged to provide apps that will use secure digital identity credentials to obtain electronic medical records from CMS alligned networks and facilitate data sharing. Apps will be developed to help in key areas, such as helping patients with diabetes and obesity management, conversational AI assistants will be available for checking symptoms, scheduling appointments, and navigating care options, and “kill the clipboard” tools will be made available to replace intake forms with secure digital check-in methods.

One of the tech companies participating in the effort is CLEAR, a secure identity platform provider. “We are excited that identity services – like CLEAR – are making it possible for patients and providers to use verified, secure identity as part of CMS’s Health Tech Ecosystem,” said Amy Gleason, Acting Administrator for the U.S. DOGE Service and Strategic Advisor to the CMS. “Checking in at the doctor’s office should be the same as boarding a flight. Patients should be able to scan a QR code to instantly and safely share their identity, insurance, and medical history”.

The HHS has confirmed that all of the proposals will be compliant with the HIPAA Privacy and Security Rules. While that is no doubt true, once a healthcare provider has provided a patient with a copy of their records, those records are no longer protected by HIPAA. Patients must ensure they exercise caution when sharing their records with any third party, as uses and disclosures of the shared information may not be subject to HIPAA protections.

“Improving health tech interoperability can eliminate frustrating inefficiencies and empower patients and providers. But health data is some of the most sensitive information people can share — and it must be protected responsibly,” said Andrew Crawford, Senior Counsel, Privacy & Data, and the Center for Democracy & Technology. “The U.S. doesn’t have a general-purpose privacy law, and HIPAA only protects data held by certain people like healthcare providers and insurance companies. Many health and AI apps, including some being promoted by the Trump Administration, are typically not covered by HIPAA. That could put sensitive information in real danger.”

The post Trump Administration Announces Plan to Improve Patient Data Sharing appeared first on The HIPAA Journal.

Florida Internal Medicine Practices Discloses November 2024 Data Breach

Posted by Steve Alder

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.