Healthcare Cyberattacks Are on the Rise: Steps to Safeguard Your Organization

By David Senter, Hunter Bruton and Braden Rose

Cyberattacks remain one of the most serious threats facing the healthcare industry. Healthcare providers and their vendors handle sensitive and valuable health data, making them prime targets for cybercriminals.

The healthcare sector has seen a dramatic increase in large data breaches over the past decade. From 2010 to 2014, the industry experienced an average of 242 large breaches per year—each affecting the protected health information (PHI) of 500 or more individuals. Alarmingly, between 2020 and 2024, that number nearly tripled to an average of 713 breaches per year.

Data breaches in healthcare can result from actions and failures like theft, unauthorized access or improper data disposal. However, hacking and IT-related incidents are by far the most common. In 2024 alone, 721 large healthcare data breaches were reported, and 587 of those—over 81%—were caused by hacking or IT-related issues.

Not only are breaches more frequent, but they’re also larger in scope. The 2024 cyberattack on Change Healthcare remains the largest healthcare data breach to date, compromising the information of over 190 million individuals.

When a cyberattack compromises PHI, covered entities and business associates generally must:

1. Provide written notice to affected individuals.
2. Notify media outlets.
3. Report the breach to relevant state agencies.
4. Report the breach to the Office for Civil Rights (OCR), which enforces HIPAA compliance.

Healthcare entities that experience cyberattacks often face OCR investigations, potential enforcement actions and lawsuits from state attorneys general. In addition, these events frequently lead to costly class action settlements totaling millions of dollars.

Proactive Cybersecurity Measures Are Crucial

Given these risks, healthcare entities must act now to strengthen cybersecurity defenses. The HIPAA Security Rule requires covered entities and business associates to conduct annual security risk assessments. These assessments identify gaps in administrative, physical and technical safeguards.

Two additional critical steps to enhance cybersecurity include:

1. Implementing multi-factor authentication (MFA).
2. Developing a comprehensive cyber incident response plan.

Earlier this year, the Department of Health and Human Services (HHS) proposed updates to the HIPAA Security Rule that would mandate these and other protective measures to better safeguard PHI.

How We Can Help

Our firm is here to support your organization at every stage of cybersecurity preparedness and response. We offer services such as:

• Performing risk assessments, conducting cybersecurity tabletop exercises and evaluating cyber hygiene.
• Investigating and responding to cybersecurity incidents.
• Navigating data breach litigation and enforcement actions.

Planning ahead also means reviewing your cyber insurance policies to ensure adequate coverage and the ability to choose your preferred counsel, including Smith Anderson, when responding to a cyber incident. Contact David Senter, Hunter Bruton, Braden Rose or your regular Smith Anderson attorney to discuss how we can help safeguard your organization against cyber threats.