Episource Ransomware Attack Affects Multiple Healthcare Customers

Posted by Steve Alder

Episource LLC, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, has experienced a cyberattack involving the theft of customer data. A network intrusion was detected on February 6, 2025, after suspicious activity had been identified within its network. All computer systems were powered down to prevent further unauthorized access, law enforcement was notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed there had been unauthorized access to its computer systems between January 27, 2025, and February 6, 2025. The California Attorney General was notified about the breach on June 6, 2025, and at that time, Episource said it was unaware of any misuse of the compromised data. Individual notification letters have been issued on a rolling basis since April 23, 2025.

The review of the compromised files confirmed that they contained a range of data, which varied from individual to individual. Potentially compromised data included names and contact information (address, phone number, and email address), together with one or more of the following:

  • Health information: diagnosis information, treatment information, prescriptions, test results, medical images, medical record numbers, and doctors’ names.
  • Health plan information: health plan policies, company names, member/group ID numbers, and Medicaid/Medicare payor ID numbers
  • Other personal information, such as date of birth

Episource said it is strengthening system security to prevent similar breaches in the future, and that the affected individuals are being offered two years of complimentary credit monitoring and identity theft protection services. Episource did not disclose the nature of the attack in its notification letters; however, this appears to be a ransomware attack. The group responsible is currently unknown.

Sharp Community Medical Group and Sharp HealthCare have confirmed that they have been affected by the incident, but it is currently unclear how many other clients have been impacted. The number of affected individuals is also currently unknown, as the data breach is not yet displayed on the OCR breach portal.

The post Episource Ransomware Attack Affects Multiple Healthcare Customers appeared first on The HIPAA Journal.

Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate

Posted by Steve Alder

Last week, a pair of bipartisan bills were introduced in the House of Representatives and Senate that seek to enhance the cybersecurity of the healthcare and public health (HPH) sector by improving coordination at the federal level to ensure that government agencies can respond quickly and efficiently to cyberattacks on HPH sector entities.

Healthcare cyberattacks have increased significantly in recent years, with more than 700 data breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in each of the past four years. In the past couple of years, a huge volume of healthcare records has been breached. In 2023, the protected health information of more than 172 million individuals was exposed or impermissibly disclosed in healthcare data breaches, and 278 million individuals were affected by healthcare data breaches in 2024.

In 2024, a ransomware group breached the systems of Change Healthcare, stole the records of an estimated 190 million individuals, and used ransomware to encrypt files. The attack caused massive disruption to the revenue cycles of healthcare providers across the country due to the prolonged outage of Change Healthcare’s systems, considerable disruption to patient care across the country, and the stolen data was leaked on the dark web.

The Healthcare Cybersecurity Act of 2025 was introduced by Congressman Jason Crow (D-CO), who was joined in introducing the legislation by Congressman Brian Fitzpatrick (R-PA). A companion bill was introduced in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). Congressman Crow previously introduced the Healthcare Cybersecurity Act in the 117th and 118th Congresses. “As technology advances, we must do more to protect Americans’ sensitive data,” said Congressman Crow. “That’s why I’m leading bipartisan legislation to strengthen our defenses and protect families from cyberattackers.”

If passed, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) would be required to collaborate on improving HPH sector cybersecurity. A liaison would be created between the two agencies to coordinate the responses to cyberattacks, and the act would authorize cybersecurity training for all relevant personnel. The bill also requires CISA and the HHS to conduct a study to identify the specific risks faced by the HPH sector.

“Cyberattacks on our healthcare system endanger more than data—they put lives at risk. I’ve long worked to strengthen our nation’s cyber defenses where Americans are most exposed, from small businesses to hospitals. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response. We’re not just responding to attacks—we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security,” said Congressman Fitzpatrick.

The post Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate appeared first on The HIPAA Journal.

High Severity Vulnerability Identified in MicroDicom DICOM Viewer

Posted by Steve Alder

A high-severity vulnerability has been identified in the MicroDicom DICOM Viewer, a popular free-to-use software for viewing and manipulating DICOM medical images.

The vulnerability can be exploited remotely in a low complexity attack, and successful exploitation can allow the execution of arbitrary code on vulnerable installations of DICOM Viewer; however, user interaction is required to exploit the vulnerability. A threat actor would need to convince a user to open a malicious DICOM file locally or visit a specially crafted malicious web page, for example, through social engineering or phishing.

The vulnerability affects DICOM Viewer version 2025.2 (Build 8154) and prior versions and is tracked as CVE-2025-5943.  The vulnerability is an out-of-bounds write issue, where it is possible to write to memory outside the bounds of the intended buffer and execute arbitrary code. The vulnerability has been assigned a CVSS v4 base score of 8.6 out of 10 and a CVSS v3.1 base score of 8.8 out of 10. While there have been no known cases of the vulnerability being exploited in the wild at the time of disclosure, prompt patching is recommended. The vulnerability has been fixed in version 2025.3 and later versions.

The vulnerability was identified by independent security researcher Michael Heinzl, who reported the vulnerability to the U.S. Cybersecurity and Infrastructure Agency (CISA). The latest announcement follows a May 2025 disclosure of two high-severity vulnerabilities, a February 2025 disclosure of a medium-severity vulnerability that can be exploited in a machine-in-the-middle (MitM) attack, and four high-severity vulnerabilities identified in 2024 and disclosed in March and June last year.

Since vulnerabilities are frequently discovered, it is advisable to locate DICOM Viewer behind a firewall, to isolate it from business networks, and if remote access is required, to use a secure method of connection such as a Virtual Private Network (VPN) and ensure that the VPN is kept up to date.

The post High Severity Vulnerability Identified in MicroDicom DICOM Viewer appeared first on The HIPAA Journal.

Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT

Posted by Steve Alder

There have been a further two appointments to leadership positions at the U.S. Department of Health and Human Services (HHS). Robert F. Kennedy, Jr., has sworn in Jim O’Neill as Deputy HHS Secretary, and Thomas Keane, MD, MBA, has been named as the new Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology. Last week, the HHS appointed Paula M Stannard as the new Director of the HHS’ Office for Civil Rights (OCR).

Deputy HHS Secretary, Jim O'Neill

Jim O’Neill, Deputy Secretary, Department of Health and Human Services.

Jim O’Neill is a HHS veteran, having served in the department for almost six years between 2002 and 2008, first as Director of the Speech and Editorial Division, then Associate Deputy Secretary and Senior Advisor to the Deputy Secretary, and as Principal Associate Deputy Secretary between 2007 and 2008. In the latter role, O’Neill led reforms at the U.S. Food and Drug Administration (FDA) to overhaul food safety regulations and implemented the FDA Amendments Act to improve the safety of drugs and medical devices.

After leaving the HHS, O’Neill oversaw the development of tools and techniques for enhancing background checks as a member of the Suitability and Security Clearance Performance Accountability Council, served as Managing Director at the global macro hedge fund Clarium Captial Management, Acting CEO of the Thiel Foundation supporting nonprofits promoting technology and freedom, and co-founded the Thiel Fellowship, which has helped many young entrepreneurs found science and tech firms.

O’Neill has also served on the Board of Directors at Advantage Therapeutics Inc., as Board Observer at Oisin Biotechnologies, and was on the Board of Directors at the SENS Research Foundation, where as CEO he led efforts to research and develop regenerative medicine solutions for age-related diseases such as Alzheimer’s, heart disease, and cancer.

“Jim O’Neill’s extensive experience in Silicon Valley and government makes him ideally suited to transition HHS into a technological innovation powerhouse. He will help us harness cutting-edge AI, telemedicine, and other breakthrough technologies to deliver the highest quality medical care for Americans,” said Secretary Kennedy. “As my deputy, he will lead innovation and help us reimagine how we serve the public. Together, we will promote outcome-centric medical care, champion radical transparency, uphold gold-standard science, and empower Americans to take charge of their own health.”

“I am deeply honored to return to HHS,” said Deputy Secretary O’Neill. “All Americans deserve to be healthy, happy, and prosperous, and President Trump and Secretary Kennedy have the right vision and leadership to get us there.”

Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology, Thomas Keane, MD.

Thomas Keane, MD. Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.

Thomas Keane, MD, MBA, has also rejoined the HHS, becoming the second Assistant Secretary for Technology Policy and the ninth National Coordinator for Health Information Technology (ASTP/ONC). Dr. Keane, a physician, engineer, and interventionalist radiologist, previously served at the HHS as Senior Advisor to the Deputy Secretary of Health and Human Services.

Keane was an administrator of the COVID-19 Provider Relief Fund and led the development of the AHRQ National Nursing Home COVID Action Network, which helped improve infection control and safety practices in nursing facilities. Dr. Keane has also served as CEO of Radiology Associates of Southeastern Ohio, an interventional radiology fellow at Johns Hopkins Hospital, and a radiology resident at New York Presbyterian Hospital. In the new role, DR. Keane will play a key role in shaping the future of Health IT and the HHS technology strategy.

The post Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT appeared first on The HIPAA Journal.

Dozens of Lawsuits Filed in Response to Kettering Health Ransomware Attack

Posted by Steve Alder

Dozens of lawsuits have been filed against Kettering Health in response to a 2025 ransomware attack involving data theft and delays to medical care. The HIPAA Journal covered the ransomware attack and data breach last year (see below) after the initial announcement in May 2025. It has been 10 months since the attack occurred, and the number of affected individuals has yet to be confirmed. The HHS’ Office for Civil Rights data breach portal still lists the incident with the initial placeholder estimate of 500 affected individuals.

The Interlock ransomware group claimed it had stolen 941 GB of data and encrypted files, then published the stolen data when the ransom was not paid. Kettering Health was forced to shut down around 600 digital applications, and employees switched to pen and paper to record patient information. The attack occurred on May 20, 2025, and Kettering Health was forced to cancel appointments while it restored its systems. It took until June 2, 2025, for its Epic electronic medical record system to be restored, and a further week for normal operations to resume. Kettering Health said normal operations resumed on June 10, 2025.

While class action lawsuits are now inevitable following any healthcare data breach due to the exposure or theft of personal and protected health information, in this case, many lawsuits have been filed over alleged delays to medical care, and in some cases, denial of care. According to the Vandalia, Ohio-based law firm Wright & Schulte LLC, which is representing many of the affected patients, 44 individual lawsuits against Kettering Health have been consolidated in a single complaint in the Montgomery County Common Pleas Court in Ohio. Out of those 44 lawsuits, 37 allege Kettering Health delayed treatment, and 8 allege denial of care. While the attack resulted in systems being taken offline for around 3 weeks, the delays to treatment were more extensive. Some patients participating in the litigation claim their appointments were rescheduled months later, some experienced prescription delays, and others claim that their appointments have not been rescheduled at all.

The lawyers allege that there was no contingency plan for a ransomware attack, and Kettering Health “just stopped seeing patients, stopped taking phone calls, and they started turning everybody away.” Some of the patients were receiving cancer treatments and other critical care, and were left without access to essential medications.

The consolidated lawsuit asserts claims of negligence, gross negligence, emotional distress, and breach of contract. The plaintiffs are seeking damages in excess of $25,000, as well as punitive damages, and attorneys’ fees and legal expenses. In addition to compensation for the injuries sustained as a result of the attack, the plaintiffs also want to ensure that Kettering Health makes the necessary improvements to security to prevent similar incidents in the future.

October 17, 2025: Kettering Health Confirms Patient Data Compromised in May 2025 Ransomware Attack

Kettering Health has provided an update on its May 20, 2025, ransomware attack. The investigation confirmed that the Interlock ransomware group first gained access to its network on April 9, 2025, and retained access until May 20, 2025, when the attack was detected, and the unauthorized access was blocked. During that time, the ransomware group accessed or copied files containing patient information.

Kettering Health has been providing regular updates on its progress recovering from the attack and has now completed its file review. The review confirmed that current and former patients had the following information compromised in the attack: first and last name, contact information, date of birth, Social Security number, patient identification number, medical record number, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification number, financial account information, and/or education records.

Kettering Health said it has reviewed its policies, procedures, and processes related to data security and has taken steps to prevent similar incidents in the future. Kettering Health said it is unaware of any misuse of the exposed information and has provided patients with information on how they can protect themselves against identity theft and fraud. Complimentary credit monitoring and identity theft protection services do not appear to have been offered.

The data breach was reported to the HHS’ Office for Civil Rights on July 21, 2025, using a placeholder estimate of at least 501 affected individuals. The total has not yet been updated, so it is still unclear how many individuals have been affected.

June 13, 2025: Kettering Health Resumes Normal Operations for Key Services Following Ransomware Attack

It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning of June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.

Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.

The primary purpose throughout the incident response has been to ensure quality care was still provided to patients while ensuring that all network-connected devices were secure and connections with its partners were fully protected. Kettering Health stated the main focus has now shifted from securing systems to ensuring that patient communication systems and scheduling systems are fully restored.

On June 9, 2025, Kettering Health confirmed that MyChart access for patients had been restored in a limited capacity and patients could view their upcoming appointments, schedule appointments, view prescriptions and fill refills, view test results, and message providers. All surgeries had also resumed. On June 10, 2025, Kettering Health announced that normal operations had been resumed for several key services, including surgery, imaging, retail pharmacy, and physician office visits. MyChart access had been fully restored, and its phone lines were functional and stable.

The recovery process continues to restore further systems, and the data analysis is progressing to determine the extent of data theft. No estimate has been provided so far on the number of individuals affected, only a placeholder of 501 individuals registered with the HHS’ Office for Civil Rights. Individual notification letters will be mailed to the affected individuals as soon as possible, including information about credit monitoring and fraud protection services.

June 5, 2025: Kettering Health Ransomware Attack: Interlock Ransomware Group Leaks Stolen Data

Kettering Health is continuing to make progress in recovering from its May 20, 2025, ransomware attack. While its EHR has been restored, other IT systems remain offline, with disruption continuing at its Ohio medical centers and outpatient facilities. Earlier this week, Kettering Health issued an update confirming that a small subset of patient data was stolen in the attack, although the extent of the data breach has yet to be confirmed.

Kettering Health has not named the ransomware group behind the incident, although CNN claimed to have viewed a copy of a ransom note indicating the Interlock ransomware group was responsible. This week, Interlock claimed responsibility for the attack and added Kettering Health to its dark web data leak site and listed the stolen data for download, indicating the ransom was not paid.

The Interlock claims to have stolen 941 GB of data from Kettering Health before ransomware was used to encrypt files. The stolen data includes 732,490 files spread across 20,418 folders. The HIPAA Journal has not downloaded any of the data, so it cannot confirm the extent to which patient and employee data has been compromised. Based on the folder and file names, the stolen data appears to include payroll information, employee files, scans of identity documents, police security personnel files, Medicaid application documents, pharmacy and blood bank documents, financial revenue reports, corporate insurance files, corporate tax information, budget reports, and patient files.

June 3, 2025: Kettering Health Restores EHR After Ransomware Attack

Kettering Health said it restored the core components of its Epic electronic health record (EHR) system on the morning of June 2, 2025, and it is now possible to enter patient information directly into electronic health records. Patient information that was recorded manually during the outage can now be added to patients’ digital health records. The restoration of the EHR will allow care teams to communicate more effectively and coordinate patient care with greater speed and clarity.

Kettering Health said more than 200 people from its information systems team, clinical team, and the software company Epic have been working around the clock over the past two weeks to get to this point. “This marks a major milestone in our broader restoration efforts and a vital step toward returning to normal operations,” explained Kettering Health. The restoration of other IT systems is continuing, including its MyChart patient portal and its inbound and outbound phone lines. Kettering Health has confirmed that its emergency departments are no longer on diversion, and its primary care locations are providing walk-in care to established patients.  Kettering Health CEO Michael Gentry has also confirmed that there has been unauthorized access to the data of “a small subset” of Kettering Health patients. The investigation into the data breach is ongoing, and notification letters will be mailed to the affected individuals when the investigation is concluded.

On May 30, 2025, Kettering Health provided an update to its staff, partners, and community members about scam communications, which may include phone calls, text messages, and emails. Gentry explained that these communications are “designed to intimidate, demand a response, or claim data exposure.” Gentry advised the public to exercise caution, not to click any links, open attachments, or respond to the communications, and if contacted by phone about the cyberattack, to hang up immediately. Any malicious or suspicious communications should be reported to the police.

May 21, 2025: Ransomware Attack Causes System-wide Outage at Kettering Health

Kettering Adventist Healthcare (Kettering Health), a large health system with 14 medical centers and 120 outpatient facilities in western Ohio, has experienced “a system-wide technology outage” that has affected all 14 of its medical centers and disrupted its call center. The outage occurred on the morning of Tuesday, May 20, 2025, and without access to critical IT systems, the decision was taken to cancel scheduled inpatient and outpatient procedures on Tuesday.

The medical centers remain open, and emergency rooms are continuing to accept patients. The staff is working on established downtime procedures and reverting to pen and paper to record patient information while IT systems are offline. The IT team is working around the clock to investigate the incident and bring systems back online safely and securely.  “We have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care for patients currently in our facilities,” explained Kettering Health in a website announcement.

According to CNN, which obtained a copy of a ransom note, this was a ransomware attack by the Interlock ransomware group, a threat group with a history of double extortion attacks on the healthcare sector. The Interlock ransomware group breaches networks, identifies data of interest, exfiltrates files, and uses ransomware to encrypt files. The ransom must be paid to prevent the publication of the stolen data on its dark web data leak site and to obtain the keys to decrypt the data. Interlock was behind the recent ransomware attack on the kidney dialysis service giant Davita, Brockton Neighborhood Health Center in Massachusetts, the Drug and Alcohol Treatment Service in Pennsylvania, and Texas Tech University Health Sciences Center.

“Since it first emerged back in October 2024, we’ve tracked 16 confirmed attacks via this group, while a further 17 remain unconfirmed by the victims involved. Today, Interlock also came forward to claim a large-scale attack on West Lothian Council, UK, which has been disrupting its school network for over a week,” Rebecca Moody, Head of Data Research at Comparitech, told The HIPAA Journal. “While this attack on Kettering Health is in its early stages, it’s highly likely Interlock will have stolen data and will release this if its ransom demands aren’t met.”

The investigation is still in the early stages, and Kettering Health is not yet in a position to state to what extent, if any, patient data has been stolen. The healthcare system confirmed that the outage was caused by a cyberattack, but has not verified that this was a ransomware attack. The Interlock ransomware group claims to have “secured your most vital files” and has threatened to publish the stolen data if Kettering Health refuses to negotiate payment.

Within a few hours of the announcement, Kettering Health issued a warning about scam calls. “We have confirmed reports that scam calls have occurred from persons claiming to be Kettering Health team members requesting credit card payments for medical expenses,” explained Kettering Health. “While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice.”

This post will be updated as further information becomes available.

The post Dozens of Lawsuits Filed in Response to Kettering Health Ransomware Attack appeared first on The HIPAA Journal.