More Than Half of Healthcare Orgs Attacked with Ransomware Last Year

Posted by Steve Alder

A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.

The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.

A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.

The lower rate of ransom payment in healthcare may be due to genuine concerns that the attackers will not be true to their word. The ransomware attack on Change Healthcare last year made that clear. A $22 million ransom was paid to the BlackCat ransomware group to delete the stolen data; however, after pulling an exit scam, the affiliate behind the attack retained a copy of the data and attempted extortion a second time through a different group, RansomHub. Further, law enforcement operations against LockBit found the group lied about data deletion. Copies of stolen data were found on servers after the ransom was paid. Payment of a ransom is also no guarantee that data can be recovered. On average, 15% of companies that paid the ransom did not receive usable decryption keys, and a further 3% found that their data had been published or misused even when payment was made.

Ransomware groups have been observed adopting more aggressive tactics to increase pressure on victims. Falling profits have prompted some groups to start contacting patients of an attacked healthcare provider directly to increase pressure and get the ransom paid, or in some cases, patients have been extorted. Ransomware groups have threatened to file complaints with regulators, such as the Securities and Exchange Commission (SEC). According to Semperis, 47% of attacks involved threats of regulatory complaints, and 41% of attacks on healthcare organizations. In 62% of healthcare attacks, the threat actor threatened to release private or proprietary data. There is also a growing trend of physical threats against staff members, which occurred in 40% of attacks across all sectors, and 31% of attacks on healthcare organizations.

“With the introduction of generative AI and the fast development of agentic AI attacks, creating more advanced tools with more destructive impact is easier, so threat actors no longer need a lot of money and resources to create those tools,” said Yossi Rachman, Semperis Director of Security Research. “As a result, even a drop in ransom payments will not necessarily stop attack groups from proliferating and conducting more effective and frequent attacks.”

Semperis found that organizations are getting better at detecting and blocking attacks, but when attacks occur, they can cause considerable harm. For 53% of healthcare victims, recovery took from a day to a week, with 31% of attacked healthcare organizations taking between one week and one month to fully return to normal operations. The main business disruptions were data loss/compromise, reputational damage, and job losses. In one attack this year, a healthcare provider permanently closed the business after a ransomware attack.

The biggest challenges faced in healthcare were the frequency and sophistication of threats, attacks on identity systems, and regulatory compliance. 78% of victims said attacks compromised their identity infrastructure, yet only 61% maintained a dedicated AD-specific backup system. Semperis strongly advises companies to implement technology to protect IAM infrastructure, since this is the #1 target. It is also important to document, train, and test to improve the response to a ransomware attack, as an attack is almost inevitable.

“Train for the day you are attacked,” advises Rachman. “See that everybody knows exactly what they should do, which systems, processes, and tools need to be involved, and do that every six months.” Further, when cybersecurity has been improved, it is necessary to evaluate the security of partners and supply chain vendors, as even with excellent security, supply chain vulnerabilities could easily be exploited.

The post More Than Half of Healthcare Orgs Attacked with Ransomware Last Year appeared first on The HIPAA Journal.

Trump Administration Announces Plan to Improve Patient Data Sharing

Posted by Steve Alder

This week, the Trump Administration announced a new initiative aimed at improving interoperability and the exchange of healthcare data, and has obtained pledges from leading healthcare and technology firms to create a foundation for a next-generation digital health ecosystem, which will improve patient outcomes, reduce provider burden, and drive value.

The initiative was announced during a HHS’ Centers for Medicare & Medicaid Services (CMS) hosted White House event dubbed “Make Health Tech Great Again,” and follows years of bipartisan efforts to improve interoperability and eradicate information blocking to improve the quality of care and eliminate waste. “For decades, bureaucrats and entrenched interests buried health data and blocked patients from taking control of their health,” said HHS Secretary Robert F. Kennedy, Jr. “That ends today. We’re tearing down digital walls, returning power to patients, and rebuilding a health system that serves the people. This is how we begin to Make America Healthy Again.”

At the event, the CMS fleshed out its plan, which includes voluntary criteria for trusted, patient-centered, and practical data exchange for all network types: health information networks, exchanges, electronic health records (EHR), and tech platforms. The effort is focused on two key areas: promoting a voluntary CMS Interoperability Framework that will allow data to be easily shared between patients and providers, and making personalized tools available to give patients the information and resources they need to make better health decisions. Under the initiative, more than 60 companies have pledged to work collaboratively to deliver results by the first quarter of 2026, including tech firms such as Amazon, Anthropic, Apple, Google, and OpenAI.

The initiative has been welcomed by the HHS’ Office for Civil Rights (OCR), which for several years has had a HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access. Under that initiative, more than 50 healthcare providers have paid financial penalties for failing to provide patients with timely access to their medical records, as required by the HIPAA Privacy Rule. While patients can receive copies of their health records under HIPAA, there are still barriers to sharing that information with others. Under this initiative, tools will be made available to make data sharing as simple as providing a QR code to a new healthcare provider to transfer medical records.

“[OCR] supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

More than 21 networks have agreed to adopt the voluntary criteria to become CMS-aligned networks, and 30 companies have pledged to provide apps that will use secure digital identity credentials to obtain electronic medical records from CMS alligned networks and facilitate data sharing. Apps will be developed to help in key areas, such as helping patients with diabetes and obesity management, conversational AI assistants will be available for checking symptoms, scheduling appointments, and navigating care options, and “kill the clipboard” tools will be made available to replace intake forms with secure digital check-in methods.

One of the tech companies participating in the effort is CLEAR, a secure identity platform provider. “We are excited that identity services – like CLEAR – are making it possible for patients and providers to use verified, secure identity as part of CMS’s Health Tech Ecosystem,” said Amy Gleason, Acting Administrator for the U.S. DOGE Service and Strategic Advisor to the CMS. “Checking in at the doctor’s office should be the same as boarding a flight. Patients should be able to scan a QR code to instantly and safely share their identity, insurance, and medical history”.

The HHS has confirmed that all of the proposals will be compliant with the HIPAA Privacy and Security Rules. While that is no doubt true, once a healthcare provider has provided a patient with a copy of their records, those records are no longer protected by HIPAA. Patients must ensure they exercise caution when sharing their records with any third party, as uses and disclosures of the shared information may not be subject to HIPAA protections.

“Improving health tech interoperability can eliminate frustrating inefficiencies and empower patients and providers. But health data is some of the most sensitive information people can share — and it must be protected responsibly,” said Andrew Crawford, Senior Counsel, Privacy & Data, and the Center for Democracy & Technology. “The U.S. doesn’t have a general-purpose privacy law, and HIPAA only protects data held by certain people like healthcare providers and insurance companies. Many health and AI apps, including some being promoted by the Trump Administration, are typically not covered by HIPAA. That could put sensitive information in real danger.”

The post Trump Administration Announces Plan to Improve Patient Data Sharing appeared first on The HIPAA Journal.