Cybersecurity in Healthcare

Australia reports a massive 50% drop in health record data breaches following the widespread adoption of passkeys The Office of the Australian Information Commissioner (OAIC) has released a promising new report indicating a 50% decline in data breaches affecting the country's national "My Health Record" system over the past year. This significant reduction is largely attributed to the integration of biometric passkey security within the myGov public services app, which has effectively curbed widespread identity scams and unauthorized access. During the 2024-2025 reporting period, the OAIC received only 18 breach notifications related to the system, down from 39 the previous year. Additionally, privacy complaints regarding the system plummeted, with only three filed compared to 15 previously. The report underscores the effectiveness of modern authentication methods in protecting sensitive patient data, such as prescriptions and hospital summaries, against increasingly soph...

Three prominent U.S. healthcare providers have agreed to settle class-action lawsuits following significant data breaches that compromised patient information. Hypertension Nephrology Associates (Pennsylvania) agreed to a $625,000 settlement after a ransomware attack exposed the data of nearly 40,000 patients. Similarly, Asheville Arthritis and Osteoporosis Center (North Carolina) established a $500,000 settlement fund to resolve claims related to a breach affecting over 58,000 individuals. Intermountain Planned Parenthood (Montana) also reached a settlement for a breach involving nearly 57,000 patients, though the total fund amount varies based on claims. In all three cases, the lawsuits alleged negligence in failing to implement reasonable security protections and delays in notifying victims. The settlements allow affected patients to claim reimbursement for out-of-pocket losses, lost time, and credit monitoring services. These agreements highlight the growing legal and financial acc...

With the holiday shopping season concluding, cybersecurity experts are issuing warnings about the privacy risks hidden within popular health tech gadgets. Smartwatches, sleep trackers, and meditation apps, often purchased during Cyber Monday sales, can serve as invasive data collection points if not properly secured. The American Health Information Management Association (AHIMA) highlights that unlike clinical devices, many consumer wearables fall outside HIPAA regulations, meaning their data protection standards vary wildly. Privacy policies are often vague, potentially allowing sensitive health metrics to be shared with third-party advertisers or data brokers. Experts advise users to rigorously audit app permissions—denying access to contacts or microphones unless essential—and to prioritize devices from reputable developers with a history of regular security updates. Furthermore, users are urged to treat these devices as endpoints that require strong, unique passwords and two-factor...

A new study published in Scientific Reports proposes a robust solution to the privacy challenges plaguing centralized Electronic Health Record (EHR) systems. Researchers have developed the Enhanced Privacy-Preserving Blockchain-Enabled Federated Learning (EPP-BCFL) framework, designed to eliminate single points of failure while enabling secure AI collaboration. The system combines blockchain technology for tamper-proof, decentralized record-keeping with federated learning, allowing hospitals to train shared AI models without ever exchanging raw patient data. To further enhance security, the framework integrates differential privacy and secure multi-party computation. Performance tests using standard datasets revealed impressive results: the model achieved 95.2% accuracy while reducing network latency by 43% compared to traditional methods. Crucially, the system demonstrated high resilience against data poisoning and adversarial attacks, maintaining over 93% accuracy even under active ...

The Office of the Australian Information Commissioner (OAIC) has released a promising new report indicating a 50% decline in data breaches affecting the country's national "My Health Record" system over the past year. This significant reduction is largely attributed to the integration of biometric passkey security within the myGov public services app, which has effectively curbed widespread identity scams and unauthorized access. During the 2024-2025 reporting period, the OAIC received only 18 breach notifications related to the system, down from 39 the previous year. Additionally, privacy complaints regarding the system plummeted, with only three filed compared to 15 previously. The report underscores the effectiveness of modern authentication methods in protecting sensitive patient data, such as prescriptions and hospital summaries, against increasingly sophisticated cyber threats. While the OAIC praised these security advancements, it also recommended greater transpare...

  Minnesota provider Madison Healthcare Services notifies patients of a cybersecurity incident exposing personal and health information. Madison Healthcare Services (MHS), a community-based provider in western Minnesota, has initiated a breach notification process following the discovery of unauthorized access to its internal network. Forensic investigations revealed that a third party maintained access to specific files between July and August 2025. While the full scope of the compromise is still under review, MHS has confirmed that the exposed data potentially includes Protected Health Information (PHI). This incident highlights the persistent vulnerability of rural healthcare providers, who often face the same sophisticated threat vectors as larger systems but with fewer dedicated cybersecurity resources. The organization has responded by engaging external cybersecurity specialists to secure the network and determine the precise extent of the data exfiltration. For healthcar...

 The AMEOS Group, a major healthcare network operating across the DACH region (Germany, Austria, and Switzerland), has been forced to disconnect its IT systems from the internet following a confirmed cyberattack. The Zurich-based provider, which manages over 100 facilities, acknowledged that external actors gained unauthorized access to servers containing patient, employee, and partner data. This precautionary "digital blackout" is an increasingly common containment strategy intended to sever command-and-control links and prevent the lateral movement of malware, specifically ransomware, across interconnected hospital networks. The operational disruption caused by such a shutdown is significant, often reverting clinical workflows to manual, paper-based processes that can slow down patient care and administrative functions. AMEOS has filed criminal complaints and is working with forensic experts to assess the integrity of their data before bringing systems back online. This i...

  The Information Regulator of South Africa has issued an enforcement notice and a fine of R100,000 against Lancet Laboratories for its failure to adhere to the Protection of Personal Information Act (POPIA). The regulator cited the pathology group for neglecting to notify both the regulatory body and the affected data subjects in a timely manner following multiple security compromises. This enforcement action highlights a growing global trend where regulators are moving beyond penalizing the breach itself to strictly punishing failures in transparency and incident response protocols. For international health organizations operating in multi-jurisdictional environments, this serves as a reminder of the strict liability associated with breach notification timelines. The regulator explicitly criticized Lancet’s lack of urgency, noting that the delay in notification denied patients the opportunity to take protective measures against identity fraud. The penalty underscores that effecti...

  Sutter Health, Redeemer Health, and the telehealth platform Lemonaid Health have agreed to substantial settlements to resolve class-action lawsuits concerning the use of tracking technologies on their websites. The plaintiffs alleged that the use of third-party tracking pixels, such as those from Meta and Google, resulted in the unauthorized disclosure of sensitive patient data and browsing habits, effectively violating HIPAA privacy standards and state confidentiality laws. These settlements mark a significant development in the ongoing legal scrutiny surrounding "surveillance capitalism" tools embedded within patient portals and appointment scheduling pages. For legal and compliance teams in the healthcare sector, these cases serve as a stark warning regarding the integration of marketing technology with clinical platforms. The core issue revolves around the inadvertent transmission of PHI to tech giants without a Business Associate Agreement (BAA) in place. As part of th...

Madison Healthcare Services (MHS), a community-based provider in western Minnesota, has initiated a breach notification process following the discovery of unauthorized access to its internal network. Forensic investigations revealed that a third party maintained access to specific files between July and August 2025. While the full scope of the compromise is still under review, MHS has confirmed that the exposed data potentially includes Protected Health Information (PHI). This incident highlights the persistent vulnerability of rural healthcare providers, who often face the same sophisticated threat vectors as larger systems but with fewer dedicated cybersecurity resources. The organization has responded by engaging external cybersecurity specialists to secure the network and determine the precise extent of the data exfiltration. For healthcare administrators and privacy officers, this event underscores the critical importance of network segmentation and anomaly detection in minimizing...

  1. New federal grant launches specialized mHealth cybersecurity training. Mobile health (mHealth) apps are booming, helping patients manage everything from diabetes to heart conditions on their phones. However, this convenience creates a massive security risk, as hackers increasingly target these apps to steal sensitive data. To fight this, the National Science Foundation has awarded a $400,000 grant to Dr. Honggang Wang at Yeshiva University’s Katz School. This funding will launch a specialized educational program designed to teach the next generation of cyber-defenders how to protect mobile health systems. The program includes a new course with seven detailed modules covering critical topics like wearable device security and biometric protection. Beyond just theory, the project will build an experimental platform where students can practice fighting off cyberattacks in realistic scenarios. This hands-on training is vital because a breach in mHealth isn't just about data pri...

 A new report on cybersecurity in Europe has sounded an alarm: hospitals are moving too slowly to cut off hacked vendors. With European healthcare relying heavily on interconnected digital platforms for everything from prescriptions to imaging, a single hacked vendor can spread chaos across hundreds of hospitals instantly. The report found that while hospitals rely on these "upstream" vendors, only 13% have a tested "kill-switch" to immediately disconnect a compromised partner from their network. The delay is dangerous. The study reveals that it takes the average hospital about 10 hours to fully revoke a vendor's access after a breach is detected—far too long to stop ransomware from spreading. Ideally, this should happen in under 90 minutes. This "time-to-revoke" gap is now considered a top risk for patient safety. The report urges hospital boards to treat their software vendors as critical infrastructure. To stay safe, hospitals must demand contract...

 Following the massive cyberattack on Change Healthcare, which paralyzed billing systems nationwide, the federal government launched a relief program to help hospitals stay afloat. However, new research from the University of Minnesota suggests this financial lifeline missed many of those who needed it most. The study analyzed the distribution of funds and found that the money largely went to hospitals that were already financially stable and had large reserves of cash. Meanwhile, smaller hospitals and clinics, which operate on thin margins, received very little support. The issue stems from how the relief program was structured. It was based on historical billing data that many smaller providers couldn't easily access or leverage during the crisis. As a result, the "safety net" worked well for big health systems but failed the vulnerable clinics that serve rural and low-income communities. The researchers argue that future relief efforts must be designed differently. I...

 For years, the main goal of hospital cybersecurity was simply to stop hackers from getting in. However, the massive cyberattack on Change Healthcare has forced the industry to accept a hard truth: total prevention is impossible. Security leaders are now shifting their focus to "cyber resilience." This means accepting that attacks will eventually happen and planning specifically for how to keep the hospital running while under siege. The goal is no longer just building higher walls, but ensuring the hospital can survive the breach. This new strategy prioritizes "downtime procedures"—the manual backups and paper-based plans that staff use when computers go dark. In the Change Healthcare incident, organizations that practiced these emergency plans recovered much faster than those that relied solely on digital defenses. Leaders are urging hospitals to rigorously test their backup systems, ensuring they aren't just theories in a binder. By treating a cyberattack l...

 The "Internet of Things" (IoT) in healthcare—which includes smartwatches, heart monitors, and connected hospital beds—is revolutionizing patient care by providing real-time data. However, a new systematic review of research reveals a worrying trend: the rush to adopt these gadgets is outpacing the security needed to protect them. The study found that most current research focuses heavily on making these devices easy to use and efficient, often treating security and privacy as an afterthought rather than a core requirement. This imbalance poses a significant danger. These devices collect deeply personal health data and transmit it over the internet, creating countless new entry points for hackers. If security isn't built in from the start, a simple smart sensor could become a gateway for a massive data breach. The review concludes that while the operational benefits of IoT are undeniable, the industry must pivot. Future development needs to prioritize "security by ...

Security researchers have discovered serious vulnerabilities in GE HealthCare’s popular Vivid ultrasound machines and their associated software. These flaws act like unlocked doors, potentially allowing hackers to break into hospital networks. If an attacker gains physical access to these machines or the network they run on, they could install ransomware. This malicious software locks up the system, making it impossible for doctors to perform scans or access patient images until a ransom is paid, effectively paralyzing patient care. The risks go beyond just financial loss. The identified weaknesses could allow attackers to steal sensitive patient data or even manipulate medical records, leading to incorrect diagnoses. While GE HealthCare has stated that current safety risks are controlled, the findings highlight a growing danger: medical devices are often the weak link in hospital security. Experts are urging hospitals to physically secure these devices, install software patches immedi...