2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures

Oct 07, 2025 - 09:49 AM by
John Riggi, National Advisor for Cybersecurity and Risk, AHA, Scott Gee, Deputy National Advisor for Cybersecurity and Risk, American Hospital Association
Cyber_Blog_Gee_Riggi_900x400

As of Oct. 3, 2025, 364 hacking incidents had been reported to the U.S. Department of Health and Human Services Office for Civil Rights, affecting over 33 million Americans. To be clear, when a hacking incident is reported to OCR, that means that the health care records of the number of individuals reported as impacted by the breach have been stolen, in part or in full, by “bad guys” — most often foreign criminal hackers.

As appalling as that number may seem, we have become somewhat desensitized to the large numbers and the true impact of these crimes. The irony is that some may seem relieved that “only” 33 million Americans had their health care records stolen so far this year. Folks, we can assure you that that number is still far too high and should not be tolerated as the norm.

Those who are relieved by this year’s numbers really can’t be blamed, given what has transpired in the past couple of years. By the end of 2024, 259 million Americans’ protected health information (PHI) had been reported as hacked — a new record. That figure included the 192.7 million Americans whose health care records were stolen during the UnitedHealth Group/Change Healthcare ransomware attack. This attack was perpetrated by the notorious Russian ransomware group known as Blackcat/ALPHV. It is interesting to note that Change revised the number of individuals impacted upward over several months from 100 million, to 190 million and finally to 192.7 million.

In 2023, 138 million Americans had their PHI hacked in hundreds of breaches — an astounding number at the time, with the largest breaches resulting from attacks by the Russian ransomware group known as Clop that compromised a popular third-party secure file transfer technology known as MoveIt.

These shifting counts reveal some underlying major issues about cybersecurity in the health care field. Let’s take a look at what we’ve learned from the Change Healthcare attack and other breaches.

Lessons Learned

We’ve observed that the Change Healthcare breach and other reported cyberattacks contain patterns that hold true for breaches reported to HHS-OCR over the last several years, including 2025.

  • Over 80% of the stolen protected health information records were not stolen from hospitals — they were stolen from third-party vendors, software services, business associates, and nonhospital providers and health plans like the Centers for Medicare & Medicaid Services.
  • Over 90% of hacked health records were stolen outside of the electronic health record system.
  • 100% of the hacked data was not encrypted, either due to stolen credentials granting access to encrypted data or data being stored in an unencrypted format outside the EHRs.
  • A significant number of the reported hacks in 2024 and 2025 were ransomware attacks accompanied by data theft. This is known as double-layered extortion.

Furthermore, as demonstrated by the inconsistent tallies of those affected by the Change Healthcare attack, health care organizations, especially third-party providers, need to improve their data mapping and data security practices. With so many EHRs being exchanged among care providers, third parties, service lines and organizations, hospitals may have a murky understanding of where their data is, which third-party providers have access, and the volume of the data they have. That’s one reason why it’s critical to understand your internal and external cyber risk exposure and to have a strategic third-party risk management program.

The First Step to Preventing and Mitigating a Cyberattack: Understand Your Risk Environment

Before you can protect against data theft, you need to figure out what exactly you need to protect. How are you managing your data and how secure is it? That requires a dynamic process to continuously map your data, network, network traffic, applications and devices to maintain an accurate and up-to-date asset inventory — including your inventory of network-connected medical devices. Plus, how much data do your third-party service providers have? Is your data encrypted? How’s your email security? How’s your patch management? Identity and access management is also a big attack vector.

Understanding your cyber risk exposure should also extend to understanding third-party software cyber risk exposure. Whether in medical devices or revenue cycle applications, a software bill of materials (SBOM) may be helpful in identifying software-related vulnerabilities.

It’s important to ensure your technology vendors supply an SBOM, which the Cybersecurity and Infrastructure Security Agency defines as “a formal record containing the details and supply chain relationships of various components used in building software.” SBOMs are critical to understanding all the components of the software you are using. Nearly every piece of software you purchase contains subcomponents that are sourced from other authors. If a vulnerability is discovered in one of those subcomponents, the entire tool can be at risk. Knowing what those subcomponents are will help you better defend your environment. Make no mistake, SBOM monitoring is a complicated process, but there are services available to help you with this crucial task.

Once You Know What You Have, Implement Best-practice Defense Measures

You can reduce a large amount of your cyber risk by enacting basic cybersecurity practices. Three of the top frameworks you may choose as your guide are:

  • Department of Health & Human Services (HHS) Cybersecurity Performance Goals (CPGs). Created in cooperation with the Healthcare and Public Health Sector Coordinating Council, HHS and the AHA, these goals encourage the voluntary implementation of high-impact cybersecurity practices. The CPGs are designed to defend against the most common tactics used by cyber adversaries to attack health care and related third parties, such as exploitation of known technical vulnerabilities, phishing emails and stolen credentials. Learn more and find additional support for your cybersecurity program from the AHA and AHA cybersecurity provider partners that deliver dedicated resources and special offerings to help your organization meet the CPGs.
  • Healthcare Industry Cybersecurity Practices (HICP). HICP publications outline the top threats facing the Healthcare and Public Health Sector and provide recommendations and best practices to prepare for and fight against cybersecurity threats that can impact patient safety.
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize and communicate its cybersecurity efforts.

Stay tuned for part 2 of this blog, which explores in detail three more cyber and risk lessons we learned in 2025: the importance of third-party risk management, why clinical continuity preparedness is a must, and how the rise in artificial intelligence helps and hinders cybersecurity.

Related News Articles

Perspective
Protecting Patients and Hospitals from Cyberattacks
Public
This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “…
Headline
HSCC launches toolkit to strengthen essential health care services and prevent cyberattacks
The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations…
Headline
Urgent action recommended on critical Oracle vulnerability
The AHA Oct. 6 released a Cybersecurity Advisory urging immediate action against a critical Oracle E-Business Suite vulnerability that is remotely exploitable…
Headline
AHA launches revamped Cybersecurity and Risk Advisory webpage
The AHA has launched an enhanced Cybersecurity and Risk webpage designed to help health care organizations strengthen their defenses against emerging cyber and…
Headline
Notice warns of new LockBit 5.0 ransomware variant
A Health-ISAC (Information Sharing and Analysis Center) bulletin released Oct. 1 warns of a recently released LockBit 5.0 ransomware variant that poses a…
Headline
AHA podcast: The Texas Model for Cyber Resilience in Health Care 
Fernando Martinez, Ph.D., chief digital officer at the Texas Hospital Association, shares how Texas and the THA are building regional resilience through cyber…