Takeaways from healthcare cyberattacks in 2025

There’s some good news, relatively speaking, when it comes to cybersecurity in the healthcare industry.

Through Dec. 12, more than 42 million people were affected by cyberattacks aimed at health providers. That’s a lot of people to be sure. But in 2024, more than 270 million people, about 3 in 4 Americans, were affected, most of them by the Change Healthcare cyberattack.

Still, cybersecurity experts with the American Hospital Association say health systems can’t let their guards down.

Here are some threats hospitals must recognize.

First, let’s talk about AI. Attackers are using AI to create more convincing phishing emails. Forget the clumsy emails with four typos in the first sentence. Bad actors are using AI for more polished messages aimed at catching people with their guards down.

Ransomware groups are also using AI tools to hack into health systems, and they may be adopting AI more quickly, says Baxter Lee, president of Clearwater, a cybersecurity company that works with hospitals.

“I think attackers are probably using AI faster than we're using it to defend against it,” Lee told Chief Healthcare Executive® in an interview at the HLTH conference.

Health systems continue to be victimized by attacks aimed at software problems that haven’t been addressed. It’s a perennial problem, and it exposes systems to attack. Importantly, many of these problems come from software employed outside health systems.

And that leads to another big risk for cyberattacks: third parties and business associates. Many of the attacks disrupting hospitals and health systems are targeting the vendors that hospitals use everyday. The Change Healthcare attack last year was the most chilling example of the risks from a vendor. Nearly every hospital in America was affected, because the target was a business partner that virtually everyone uses.

Hospitals are making solid progress in bolstering their defenses against cyberattacks. But the risks aren’t going away anytime soon.

Healthcare data breaches remain the most expensive of any industry. The average cost of a data breach in a healthcare organization was $9.7 million in 2024, according to an analysis by IBM.

We talked with John Riggi, national adviser for cybersecurity and risk of the American Hospital Association, and Scott Gee, deputy national advisor for cybersecurity and risk, about cyberattacks affecting hospitals in 2025. For a deeper dive on attacks, the risks to hospitals and what health systems can do, check out our report published last week.

Read more: Small hospitals and clinics emerge as big targets for cyber attacks