The state of cybersecurity for healthcare providers is growing more dangerous by the day. From ransomware risks hiding in outdated medical devices to large-scale data breaches at dental and billing vendors, the threats are multiplying and evolving fast.
In this edition, we break down the latest threat data, spotlight recent breaches affecting hundreds of thousands of patients, and offer a practical triage strategy that healthcare organizations can use to pinpoint and prioritize their most vulnerable systems.
—————————————————————————————
Legacy Medical Devices Still a Major Ransomware Risk in Healthcare
A recent analysis reveals a troubling reality for the healthcare industry: 99% of healthcare organizations are exposed to publicly known security vulnerabilities, leaving legacy medical devices highly susceptible to ransomware attacks.
Healthcare continues to be one of the most targeted critical infrastructure sectors.
The reason?
A perfect storm of high stakes, expansive attack surfaces, and outdated systems. The need for continuous uptime, where a few minutes of downtime can cost lives, makes hospitals especially vulnerable.
This same urgency also makes it difficult to implement timely software patches, especially for older medical equipment that requires FDA revalidation for any cybersecurity changes.
As a result, hospitals are stuck running outdated operating systems on legacy devices, often for years.
A Deep Dive Into the Data
A well-known security firm conducted a large-scale analysis using data from its industrial cybersecurity platform, which spans hundreds of health systems and thousands of hospitals.
From the vast dataset, the cybersecurity experts examined over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations.
Their findings were sobering:
- 99% of healthcare organizations house devices with vulnerabilities included on CISA’s Known Exploited Vulnerabilities (KEV) list.
- 20% of hospital information systems have KEVs specifically associated with ransomware, and these systems are insecurely connected to the internet.
The Challenge of Triaging Massive Threats
With such a massive volume of vulnerabilities, identifying which threats require immediate attention can feel overwhelming. To address this, hospitals and other healthcare setups need a focused triage method based on three criteria:
- The presence of a KEV-listed vulnerability
- Evidence that ransomware actors actively exploit the vulnerability
- Insecure connectivity — defined as either direct internet access or use of non-enterprise-grade remote access tools
By applying a Venn diagram approach, the analysis narrows in on devices that meet all three conditions, the most critical risks.
Let’s take a look at how this plays out with OT devices:
- 11,693 OT devices had KEV vulnerabilities
- 3,004 OT devices had KEVs linked to ransomware
- 4,731 OT devices had insecure connectivity
- But only 1,763 OT devices had all three — just 0.3% of the total
This method shrinks a seemingly insurmountable problem into a manageable list.
For example, if each of the 351 healthcare organizations has an average of 1,845 OT devices, this approach surfaces just 5 to 6 high-risk devices per organization that demand immediate mitigation.
Applying the Same Method to IoMT Devices
When the same triaging strategy is used for IoMT devices:
- The result is 22,500 devices, which is roughly 1% of all IoMT assets meeting all three critical indicators.
- That translates to about 65 devices per healthcare organization requiring top-priority action.
While these numbers are based on estimates and not exact per-organization counts, the triage method provides a solid framework for zeroing in on the most vulnerable and ransomware-prone devices.
KEV lists don’t account for every known exploit, but they do offer one of the most reliable sources for identifying widely abused vulnerabilities, especially those weaponized by ransomware groups.
A Five-Step Strategy for Healthcare Cybersecurity
The triage process is just one part of a broader five-step approach to reducing cyber risk in healthcare environments:
- Scoping – Identify critical clinical and operational processes
- Discovery – Inventory and profile connected devices
- Prioritization – Evaluate risk based on business impact and exploitability (this is where the Venn approach fits in)
- Validation – Confirm whether vulnerabilities are actually exposed and exploitable
- Mobilization – Take action with specific mitigations or remediations
The takeaway?
Hospitals and healthcare providers need a clear, data-driven plan to tackle their most urgent cyber risks. Starting with a focused triage method helps cut through the noise and drive faster, smarter security decisions even in environments constrained by legacy systems and regulatory requirements.
—————————————————————————————
Data Breach at Chord Specialty Dental Partners Affected Over 170,000 Individuals
In March 2025, Chord Specialty Dental Partners, a dental service organization based in Tennessee, confirmed a data breach that impacted the personal information of more than 173,000 people following an email security incident.
The company, which operates under CDHA Management and Spark DSO, provides support to over 60 dental practices across six U.S. states.
According to a notice recently published on its website, the organization discovered suspicious activity in an employee’s email account in September 2024.
A subsequent investigation determined that unauthorized access occurred across multiple email accounts between August 18 and September 25, 2024. The compromised accounts contained a range of sensitive information, including:
- Full names
- Addresses
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Bank account and payment card details
- Medical information
- Health insurance information
Although Chord Specialty Dental Partners stated that there is no evidence so far that the exposed data has been misused, the company also noted it could not rule out the possibility of unauthorized access to the information.
In a report submitted to the U.S. Department of Health and Human Services (HHS), Chord confirmed the breach affected approximately 173,000 individuals. In response, the organization is offering complimentary credit monitoring and identity protection services to those impacted.
This breach adds to a growing list of recent cybersecurity incidents affecting the healthcare sector. Just days earlier, Numotion, a major provider of wheelchairs and mobility equipment, reported a separate email-related data breach involving nearly 500,000 individuals.
—————————————————————————————
ALN Medical Management Hack Exposed Sensitive Data of Over 127,000 Patients
A cyberattack targeting ALN Medical Management, a Nebraska-based revenue cycle management (RCM) firm, exposed the personal and health information of tens of thousands of individuals and impacted an unknown number of healthcare providers.
The breach is yet another reminder of how vulnerable medical billing vendors remain to targeted cyber threats.
ALN, which was acquired by Maryland-based Health Prime in 2023, initially disclosed the incident to federal regulators in May 2024. At the time, the company reported that only 501 individuals were affected, a placeholder estimate required for immediate breach reporting.
More recently, however, the scale of the breach has come into sharper focus.
In a March 24 report filed with Texas regulators, ALN confirmed that 127,113 Texans were impacted. The company has also submitted breach notifications to several other states, including California and New Hampshire, although specific numbers for those regions have not been disclosed.
While the total number of affected individuals remains unclear, cybersecurity experts suggest the impact could be significant for patients and healthcare organizations that rely on ALN’s services.
According to ALN’s state filings, the exposed data may include:
- Names
- Social Security numbers
- Driver’s license and passport numbers
- Financial account and payment card information
- Medical records
- Health insurance details
The company explained that it detected suspicious activity in March 2024, linked to a third-party service provider hosting certain systems. An investigation revealed that an unauthorized party accessed or extracted files from this environment between March 18 and March 24.
Importantly, ALN clarified that its internal systems were not impacted. Still, the third-party environment contained a wide range of sensitive patient and client data.
As of early April 2025, ALN is already facing at least three proposed federal class-action lawsuits.
One such case, filed by plaintiff Cameron Reed, alleges negligence, breach of contract, and other failures. The lawsuits seek financial compensation in addition to court-mandated improvements to ALN’s cybersecurity practices.
Several law firms have also announced independent investigations into the breach, signaling that more legal action could follow.
The breach has reignited concerns about the cybersecurity practices of third-party vendors, who often have access to highly sensitive financial and medical data on behalf of healthcare providers.
Security experts warn that RCM providers are high-value targets because of the rich mix of personal, health, and financial data they store. This kind of information can be used for identity theft, insurance fraud, and other criminal activities.
We recommend that healthcare providers:
- Thoroughly vet RCM vendors during procurement
- Implement detailed business associate agreements (BAAs)
- Demand similar diligence from every subcontractor in the chain
- Run joint incident response scenarios with vendors to prepare for possible attacks
The ALN incident follows other high-profile breaches in the healthcare sector, including the massive ransomware attack on Change Healthcare in February 2024, which disrupted services nationwide.
—————————————————————————————
Cyber threats aren’t slowing down and neither should your defenses. Whether you’re managing a hospital network, private practice, or healthcare vendor relationship, now is the time to act.
👉 Visit InfoGuard Security to learn how our cybersecurity solutions can help safeguard your systems, patients, and reputation.
If you found this newsletter helpful, please forward it to your colleagues or share it with your network. Together, we can help strengthen cybersecurity across the healthcare industry.
Best regards,
