Most Notable Healthcare Cyberattacks of 2025 and Their Impact on Patient Safety

Internet of Things (IoT) devices are integrated into nearly every facet of our daily lives. Within a healthcare setting, IoT of medical things (IoMT) devices enable organizations to provide best-in-class patient care through continuous monitoring, diagnostics, and remote treatment. However, these devices often lack robust security controls, making them prime targets for opportunistic threat actors.

Healthcare organizations have long been prime targets for cyberattacks due to their vast stores of sensitive patient data and minimal tolerance for downtime. As of May 2025, 311 healthcare data breaches, each affecting 500 or more individuals, have been reported to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR). A 2025 Health-ISAC report also highlighted insecure Internet of Medical Things (IoMT) devices as a top concern, alongside persistent threats like ransomware. Cyber threats remain a persistent risk for healthcare, making it essential for organizations to take a proactive approach to cybersecurity and treat it as a core component of resilient care delivery. This means reducing the targetable attack surface and deploying security solutions designed to minimize the impact of an incident before it escalates into a data breach.

Healthcare Cyberattacks are on the Rise

For healthcare organizations, cyber incidents continue to undermine both patient care and trust. The most significant breaches of 2025 reveal how attacks on highly connected systems can have far-reaching consequences, disrupting access to care and compromising sensitive health data.

Under the Health Insurance Portability and Accountability Act (HIPAA), organizations are required to report breaches affecting 500 or more individuals to the HHS OCR, yet the scale and frequency of recent incidents suggest that compliance alone is not enough to protect patients or maintain long-term trust.

These breaches through the years indicate an alarming trend: cyberattacks in healthcare are only increasing in complexity, scale, and impact.

Frederick Health Medical Group, January 2025

In one of the largest single-provider breaches reported in early 2025, Frederick Health Medical Group filed a mandatory breach notification after a ransomware event compromised the data of nearly 1 million individuals. No threat actor publicly claimed responsibility for the attack, which raises the question of whether Frederick Health elected to pay the ransom demand. Exfiltrated data included:

• Patient names
• Addresses
• Dates of birth
• Social Security numbers
• Driver’s license numbers
• Medical record numbers
• Health insurance information
• Clinical information related to patient care

DaVita Inc., April 2025

Kidney dialysis provider DaVita first became aware of a cyber breach in mid-April 2025. However, attackers had gained access to the network weeks earlier, in March, and used the time to exfiltrate large volumes of personal, financial, and medical data. While no threat actor initially claimed responsibility, the ransomware group Interlock later admitted to stealing 1.5 TB of sensitive data tied to over 900,000 individuals. The stolen data included:

• Names
• Addresses
• Dates of birth
• Driver’s license and ID card numbers
• Social Security numbers
• Health insurance information
• Lab results and clinical treatment data
• Financial and billing records

DaVita offered credit monitoring and identity protection while a federal investigation into the breach continues.

Texas Digestive Specialists, July 2025

On July 24, 2025, the gastroenterology group Texas Digestive Specialists reported a ransomware attack that compromised the data of 41,521 patients. While the breach was disclosed in July, threat actors had gained unauthorized access to sensitive information as early as May. Although no group claimed responsibility, the incident is believed to be the work of the Interlock ransomware gang. The clinic offered free credit monitoring to affected patients and issued public notices via its website, mail, and print publications. 

Change Healthcare, February 2024

The ransomware attack against Change Healthcare is widely regarded as one of the largest healthcare cyberattacks to date. Orchestrated by the ALPHV/BlackCat group, the attack caused nationwide disruptions to pharmacy services, delayed reimbursements, and placed significant financial strain on healthcare organizations across the country.

Although the initial intrusion occurred in February 2024, the fallout extended well into 2025, ultimately impacting over 192 million individuals. The vast volume of exfiltrated data included:

• Names
• Dates of birth
• Social security numbers
• Insurance information
• Medical records and treatment data
• Prescription history
• Claims processing and billing data

Fred Hutchinson Cancer Center, December 2023

On December 14, 2023, plaintiffs filed a class action lawsuit against Fred Hutchinson Cancer Center alleging that unauthorized access to protected health information (PHI) allowed attackers to send threatening emails. According to the allegations, the emails claimed that cybercriminals had data for more than 800,000 patients, including:

• Names
• Social security numbers
• Medical history

Further, the complaint alleges that each email requested $50 from the patient to have the information scrubbed from the dark web. According to the court document, at least 300 current and former patients reported receiving one of these emails. 

McLaren Health Care, November 2023

Cybercriminal gang BlackCat deployed a ransomware attack against the HDO in August 2023, stealing sensitive personal health information of 2.5 million patients. Although no one knows the actual number and identities of affected patients, McLaren reported that it was investigating reports of cybercriminals making patient data available on the dark web. 

Beyond the impact on patient data, the HDO also took its computer network offline while investigating the incident, disrupting patient care across its facilities, which also includes one of Michigan’s largest networks of cancer centers and providers. 

HCA Healthcare, July 2023

Cybercriminals stole patient data from an external storage location that HCA Healthcare used to automate email message formatting. The HDO discovered the exposure of approximately 11 million patient records across 27 million rows of data when cybercriminals released it on an online platform. The data that these attackers stole included the following information:

• Patient name
• City
• State
• Zip code
• Email address
• Telephone number
• Date of birth
• Gender 
• Service date
• Date of next appointment

Within a week, affected parties filed a class action lawsuit alleging that HCA Healthcare violated its obligations under the FTC Act, HIPAA, and contract law. The lawsuit requests a jury by trial, looking to recover damages, plaintiffs’ legal expenses, implementation of additional security controls, and engagement of third-party penetration testing and security auditors. 

Sutter Health, May 2023

Sutter Health’s third-party contractor Welltok, Inc used the MOVEit file transfer program. On May 30, 2023, attackers accessed the vendor’s systems, stealing patient PHI that included:

• Names
• Dates of birth
• Health insurance information
• Provider names
• Treatment cost information
• Treatment information
• Diagnoses

Since Welltok failed to notify patients until late October 2023, both companies have been sued in the state of California for potentially violating state and federal laws. Depending on the outcome, victims may be entitled to monetary damages of $1000 per violation. 

Mitigating Data Breach Risks by Securing IoT Devices

In light of the potential for HIPAA fines and increased regulatory data protection oversight, HDOs need solutions that enable them to build holistic programs across all devices that threat actors can use to achieve their attack objectives. 

Create an IoT Asset Inventory

Incorporating IoT devices into your security program is critical. The first step is to identify and categorize them as part of your asset inventory. However, since traditional IT tools can take them offline, HDOs need a passive scanning solution that inspects packets rather than initiating traffic. Any chosen solution should provide the following information about each connected device:

• Manufacturer
• Model
• Operating systems and versions
• Software and versions
• Applications
• IP address
• MAC address
• Port numbers
• Hostname

Identify Vulnerabilities

Any vulnerability can give attackers a way to access your networks and systems. While on the IT side, you may be able to identify a known vulnerability like MOVEit, you still need a solution that mitigates risk for your IoT fleet while integrating with your other vulnerability monitoring tool data. 

As you bring these devices into your overarching vulnerability management program more purposefully, you need a solution that aggregates and analyzes IoT vulnerability data, including:

• Manufacturer-supplied security data
• Open-source software components
• Vulnerability criticality
• Current attack methods using the vulnerability

Additionally, this solution should also provide simple, short, and effective remediation suggestions to make securing your IoT fleets easier. Some examples of alternative clinically validated methods might include:

• Deactivating unnecessary services without impacting critical function.
• Blocking risky services with a Network Access Control (NAC) tool.
• Hardening vulnerable devices by updating their configurations.
• Implementing micro-segmenting when altering configurations affects the device operations

Monitor for Abnormal Activity

Threat actors can use any asset connected to your network as part of their attack. Even if they gain access using a traditional IT asset, they can still use an IoT device as part of lateral movement or escalation of privileges. 

Your security monitoring should include IoT devices by establishing a baseline of normal behavior so that your security team can identify abnormal activity that might indicate attackers misusing them. When security teams incorporate this data, they can build high-fidelity alerts that enable them to more rapidly detect attacks, reducing impact. 

Collect Forensic Data

If you experience a security incident, you need to have forensic data available to provide answers to regulatory and law enforcement agencies. By incorporating IoT into your forensic data capture, you can correlate and analyze it with other information, including:

• RAM information from servers
• Traffic information from network devices
• Data transferred to an FTP server

Report to Leadership and Board of Directors

Senior leadership teams and boards of directors need the appropriate visibility into their security risk. They need the right combination of technical data with visualizations that provide insights into trends. Your senior leadership team and directors need high-level insights that include:

• Trends over time
• Number of devices categorized as high-impact and high-risk
• Vulnerabilities remediated within a specified time period
• Categories of anomalous behavior and technical risks

When armed with this type of information, these stakeholders can make informed decisions about current security posture and future investments. 

Asimily: Reduce Data Breach Likelihood and Impact

Asimily provides comprehensive context into an HDO’s connected device environment when calculating likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls, so you can more appropriately prioritize remediation activities.

HDOs efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS, Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Materials (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily clients are 10x more efficient because the Asimily platform can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s clinically validated recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.