The largest health-care breach in U.S. history was made public only last year, and the numbers still stagger. UnitedHealth’s Change Healthcare clearinghouse has now told regulators that the February 2024 ransomware attack exposed the data of roughly 192.7 million people—well over half the country—after criminals slipped in with compromised credentials that lacked multifactor authentication. The fallout snarled claims and prescription processing nationwide and pushed basic questions of cyber hygiene from back-office concern to the center of patient care.
Scale is not easing elsewhere. HHS’s breach portal shows 725 large incidents in 2024 alone, with more than 275 million individuals’ information exposed or stolen—driven in part by the Change Healthcare hack, but not defined by it. The FBI’s 2024 Internet Crime Report also tallied health care as the critical-infrastructure sector with the most reported cyberthreats, a mix of ransomware and data-breach incidents that underscored how persistent the problem has become.
Why the fixation on hospitals and insurers? Stolen medical files can be monetized again and again. Unlike a credit-card number that can be canceled in minutes, elements of a health record—diagnoses, insurance IDs, and often Social Security numbers—are durable. Markets shift, but credible estimates in the last two years place the price of a single medical record anywhere from tens to hundreds of dollars, and in some cases up to four figures; meanwhile, a stolen credit card can trade for only a few dollars. Even if the exact ratios vary, criminals understand the basic economics.
The financial costs for providers remain the highest of any industry. IBM’s 2024 analysis pegged the average healthcare breach at about $9.8 million. Its 2025 report shows health care still leading all sectors globally at $7.42 million on average, while the average cost of a U.S. breach across industries rose to a record $10.22 million. Regardless of year-to-year movement, health care continues to be the most expensive place to get breached, which aligns with what patients and clinicians feel when systems go dark.
The patient-safety consequences are no longer theoretical. Peer-reviewed research and federal warnings have documented how attacks delay care, force diversions, and degrade outcomes at both the targeted hospital and its neighbors absorbing overflow. When pathology networks or EHRs go offline, emergency metrics worsen; in some studies, clinicians report higher mortality or complication rates during and after major incidents.
Regulators are moving, albeit haltingly, toward stronger baselines. HHS has proposed the first significant update to the HIPAA Security Rule in more than a decade, with requirements that touch multifactor authentication, risk assessments, vendor oversight, segmentation, and incident response. The agency’s broader concept paper and healthcare-specific Cybersecurity Performance Goals aim to pair incentives for smaller hospitals with clearer expectations for everyone else. Meanwhile, ARPA-H’s UPGRADE initiative is funding software to speed vulnerability remediation for medical devices and clinical systems. There is pushback over cost and implementation, but the direction of travel is unmistakable.
Hospitals cannot wait for final rules to shore up their defenses. Six priorities tend to separate organizations that absorb attacks from those that are immobilized.
First, make identity the new perimeter. Enforce phishing-resistant multifactor authentication for clinicians, contractors, and vendors. Remove standing administrative privileges, design just-in-time access for high-risk tasks, and monitor for anomalous behavior. Change Healthcare’s compromise—via weak credentials—remains a cautionary tale.
Second, segment ruthlessly. Keep billing, imaging, lab systems, and medical devices on well-defined, access-controlled network zones with egress filtering. Flat networks let intruders sprint from a phished inbox to a radiology workstation in minutes; segmented networks force them to stumble. Joint advisories from CISA, FBI, and HHS highlight segmentation and least-privilege as table stakes against groups like ALPHV/BlackCat.
Third, assume ransomware will hit and practice how you will operate through it. Maintain offline, immutable backups; build and rehearse downtime procedures for admissions, medication reconciliation, and imaging; and pre-stage contracts for incident response and breach notification. Clinical continuity planning is as essential as technical recovery.
Fourth, fix what you own—and know what you have. Maintain an accurate inventory of assets and software, patch high-impact vulnerabilities on a schedule patients can live with, and require software bills of materials from vendors. Federal funding through ARPA-H is explicitly aimed at making this drudgery faster and safer.
Fifth, treat your supply chain as an extension of your network. Update business-associate agreements to require rapid notification, MFA, encryption, and tabletop exercises; the HIPAA Security Rule proposal points in this direction by tightening vendor obligations and timelines. The next breach may not start on your premises.
Sixth, minimize and encrypt the data you keep. De-identify wherever possible, tokenize payment and claims data, and encrypt at rest and in transit. The administration’s proposed approach stresses that if exfiltrated data is unreadable, the harm is containable. That is a practical, not purely regulatory, standard.
None of this is “beyond HIPAA” so much as the modern expression of it. HHS’s 405(d) Health Industry Cybersecurity Practices—updated in 2023 and widely adopted as a common-sense playbook—translate these ideas into daily operations for organizations of every size. The guidance is voluntary, but the threat is not.
Health care is critical infrastructure, and that label is not rhetorical. When a clearinghouse shuts down, pharmacies cannot fill prescriptions. When a lab network is encrypted, surgeons postpone operations. If the past two years have taught us anything, it is that privacy and patient safety are now the same conversation.
---
CyLogic builds, operates, and continuously monitors dedicated cloud platforms for organizations that need full control over their data and the highest levels of security. If you want to stress-test your current posture or map a path to these controls, we’re ready to help.