News|Articles|December 18, 2025
Cybersecurity and hospitals: Fewer victims in 2025, but looming threats
Author(s)Ron Southwick
The number of people affected by breaches dropped over the past year, but health systems face serious challenges.
Advertisement
Millions of Americans have once again suffered identity theft and been affected by cyberattacks aimed at hospitals and healthcare providers in 2025, but there is some good news.
Fewer people were affected by data breaches in health care over the past year, compared to 2024.
Through Dec. 12, there were 471 hacking incidents reported to the federal government, said John Riggi, national adviser for cybersecurity and risk of the American Hospital Association. Riggi reviewed data sent to the U.S. Department of Health & Human Services’ Office of Civil Rights, which tracks breaches and cyberattacks.
This year, 42.5 million people were impacted by cyberattacks in health care, Riggi says. In 2024,
“I am somewhat relieved … that it's only 42.5 million people,” Riggi says.
Still, Riggi notes that’s still a number of people, and hospitals and health systems face continued threats from cyberattacks.
He also offers an important caveat: Some breaches that may have occurred this year may not be reported, or even discovered, so that number could grow.
Plus, the scope of a data breach involving Oracle Health isn’t fully known, but some hospital systems, including
“We are watching closely breach reports which may be associated with the published Cerner/Oracle Health breach,” Riggi says. (
Given the possibility of other victims of the Oracle Health breach, or other undiscovered attacks, Riggi says the final number may surpass 42.5 million. “That number for 2025 may increase,” he says.
‘Better at fooling people’
Attackers are using AI tools to develop more polished “phishing” emails that entice people to click on links they shouldn’t, thus allowing hackers into systems. Scott Gee, deputy national advisor for cybersecurity and risk, says the emails from attackers are less likely to include stilted language and numerous typos.
“They're using AI to generate phishing emails that don't look like they were written by the Nigerian prince anymore,” Gee says. “They're much better at fooling people. AI is very capable of generating a good quality email.”
Attackers are using social engineering to deceive the “help desk” of information technology departments, Gee says. Some hackers are posing as the leaders of companies and getting the help desk to give them access into the organization.
“They call to impersonate the CEO and know everything about the CEO,” Gee says. “And the help desk being helpful, resets their password and enrolls their new multi-factor authentication device.”
Health systems are being infiltrated by a persistent problem, and that’s attackers finding software vulnerabilities that haven’t been repaired.
“Unpatched vulnerabilities continue to be the perennial issue,” Riggi says.
While hospitals and their third parties take time to identify and address vulnerabilities, attackers routinely learn of those weaknesses almost instantly and try to exploit them.
- Read more:
Cyberattackers are using AI faster
Risks from vendors
Most of the unpatched vulnerabilities are coming from software used by vendors and the third parties that hospitals are dealing with on a regular basis.
“That unpatched software is not software that the hospitals wrote, it's external software that we are constantly trying to keep up and patch,” Riggi says.
Hospitals and health systems continue to face significant threats to attacks aimed at the third-party vendors they’re utilizing on a day-to-day basis.
Over 80% of the attacks reported to the federal government originate from entities other than hospitals and health systems, Riggi says. The majority of breaches are aimed at third parties and business associates.
“We are doing the best we can to try to defend against cyber attacks,” Riggi says. “And I think that plays out in the numbers. Where are the bad guys going? They're not going to hospitals to steal data. They're going to our insecure, third party providers, service providers, technology insecure technology providers and insecure supply chain.”
The Change Healthcare cyberattack offers the most chilling example of the risk to hospitals from vendors and business partners. Nearly all hospitals were affected by the Change Healthcare attack, since the company, a division of United HealthGroup, handles business functions for so many hospitals.
“As we saw with Change Healthcare, hospitals can do everything right. But then there's one external, single point of failure. That third party that has network access or all the data, all your data, legitimately for business purposes, and then they get hacked,” Riggi says.
‘How prepared are you?’
With so many hospitals being affected by cyberattacks, even if they are aimed at third parties, Riggi says health systems are paying more attention to the risks of disruptions from breaches.
Hospital CEOs and boards are focusing more on cybersecurity, and the risks from vendors. Riggi also says he’s encouraged by the greater sharing of intelligence from federal authorities about threats, including those coming from attackers based in other countries.
Still, as Riggi says, no one is immune from attacks. Hospitals must do what they can to prevent attacks, but they also need solid plans to maintain operations when breaches occur.
As Riggi says, “The question, we always say, is not if you will be attacked, but how prepared are you?”
Hospitals also should see improving cybersecurity as an ongoing pursuit. Gee suggests that there’s no declaring “mission accomplished” when it comes to cybersecurity.
“Cybersecurity is not an end state,” Riggi says. “Cybersecurity is a process. It is ongoing. It's iterative. You have to keep doing it, and it's absolutely critical for hospitals and the healthcare sector to understand that and do their best to themselves and their patients and their communities.”
Newsletter
Advertisement
Related Content
Latest CME
Advertisement
Advertisement