A Bad Week for Healthcare

In early March of 2025, several different healthcare organizations disclosed data breaches that impacted over 560,000 people.  The breaches themselves happened anywhere from three months to almost a year prior, but the notifications all came at the same time, mostly due to HIPAA’s 60-day notification rule.

First up: Sunflower Medical Group, based out of Kansas.  They identified suspicious activity in early January; with the help of a cybersecurity firm, they discovered there had been hackers inside their systems since mid-December of 2024.  Approximately 221,000 patients had their data accessed, including name, address, date of birth, social security number, and more.  Later, the Rhysida ransomware gang took credit for the attack, which isn’t surprising – they have repeatedly targeted non-profits and healthcare facilities.

Hilcrest Convalescent Center, a North Carolina-based nursing home and rehab center, was next up – in February, they discovered hackers had been infiltrating their data since June of 2024.  106,194 individuals had their name, date of birth, social security number, credit card information, and details of their medical treatments stolen (ouch).  No group has taken credit for the attack, and to date it seems none of the information has been leaked.

Gastroenterology Associates of Central Florida detected a breach going back almost a full year, to April of 2024.   Impacting the names, date of birth, social security number, and health information, over 122,000 individuals were impacted.  The culprit behind this attack was the BrianLin ransomware group.  

Finally, Rhysidia ransomware struck again—this time at Community Care Alliance in Rhode Island. An investigation showed that data was leaked going back to July 2024; over 115,000 people had not only their personal information (name, date of birth, social security number, etc.) leaked but also their medical information, such as diagnosis, lab results, treatment information, and insurance details.

Why is healthcare such an attractive target?

The obvious answer is the sheer wealth of sensitive information provided by a breach.  Getting your name and e-mail stolen is annoying; getting your credit card number stolen is scary; getting your social security number and private medical information stolen is a nightmare.  Ransomware is particularly effective; organizations can’t risk not having access to patient records and delaying treatment, which could potentially have serious consequences.  

Smaller healthcare providers might find themselves targeted because they don’t have the staff or resources to implement a full stack of security tools.  When faced with a limited budget, it’s hard to make the argument for investing in cybersecurity vs. patient care.  And then, there are many different answers to “how do we become secure” — SASE, SD-WAN, ZTNA, endpoint protection, identity and access management (IAM) – the list goes on.  

Small steps, big results

The best answer for healthcare providers is to look for small ways to get big wins.  The most obvious answer to controlling risk is to control access – a solution that can control access not only to your network but also your applications is key.  According to a Ponemon Institute report, healthcare organizations contract with an average of almost 1,950 third-party vendors to provide services like cloud-based applications, custom software, and hardware.  That’s a lot of logging in!  

Next, get rid of passwords – with over 80% of all data breaches traced to compromised credentials, this would prevent a significant number of of attacks before they even start.  

By starting with access control and moving toward passwordless authentication, healthcare providers can make immediate strides in securing sensitive data. In an industry where every login can represent a potential vulnerability, simplifying and securing access isn’t just smart — it’s essential.