Cyberattacks targeting healthcare organizations aren’t slowing down and the risks are no longer just technical.
This issue of our newsletter covers the devastating impact of ransomware on patient care, ongoing data breaches across trusted healthcare networks, and the rising compliance challenges of AI in clinical settings.
Ransomware Attack Cripples Kettering Health Network
Kettering Health, a 14-hospital network serving much of Ohio, was forced to cancel both inpatient and outpatient elective procedures this week following a ransomware attack that triggered a major system-wide technology outage.
The disruption, which began early Tuesday morning, affected internal systems, call centers, and access to essential services, though emergency departments and outpatient clinics remain operational.
Kettering Health has activated contingency protocols to protect patient care, but the damage is already significant.
Who’s Behind the Attack?
A ransom note obtained by CNN indicates that the cyberattack was executed by Interlock, a ransomware group that first appeared in late 2023. The note claims that the group has encrypted critical systems and stolen sensitive files, threatening to leak the data online if Kettering Health does not enter ransom negotiations.
The extortion message is linked to a dark web negotiation portal operated by the group, which has been linked to previous attacks on manufacturing, tech, and government sectors.
Systems Down. Procedures Canceled. Risks Mounting.
While the health system’s IT teams are working to contain the breach, the scope of the disruption raises urgent questions about cyber resilience in healthcare.
Canceling medical procedures, especially for a system employing 1,800+ physicians, creates real downstream impacts on patient health and trust.
As of now, Kettering Health has not released further details. The FBI, HHS, and CISA are expected to be involved in the investigation, as is standard for major incidents in the healthcare sector.
A Growing Pattern With Alarming Consequences
This is just the latest in a string of serious ransomware attacks that have rocked the healthcare industry:
- In 2023, over 440 ransomware and data breach incidents were reported by healthcare organizations, more than any other critical infrastructure sector.
- Earlier this year, an attack on UnitedHealth Group’s Change Healthcare caused nationwide pharmacy disruptions and exposed vast amounts of sensitive data.
- A cyberattack on Ascension Health forced hospitals to operate without access to electronic health records, placing patients at risk.
What Your Organization Can Learn from This
Whether you’re a hospital, specialty clinic, or medical research facility, no healthcare entity is too large or too small to be targeted.
Cybercriminals know that downtime in healthcare is inconvenient and dangerous. That pressure makes hospitals more likely to pay.
Key Takeaways:
- Segment your networks. Limit lateral movement by separating clinical, administrative, and IoT devices.
- Encrypt everything. Don’t store patient data in plaintext or unprotected archives.
- Simulate attacks. Regular tabletop exercises can help teams prepare for real-world breaches.
- Invest in 24/7 monitoring. Identifying threats early can be the key to controlling an incident before it spirals out of control.
- Build response playbooks. Don’t wait until you’re under attack to figure out what to do.
Cooper Health System Data Breach: PHI Accessed in Prolonged Network Intrusion
Camden-based Cooper Health System, one of Southern New Jersey’s major providers, confirmed a data breach that may have exposed sensitive patient information, nearly 10 months after the initial intrusion.
In a public notice, Cooper revealed that the breach was linked to unauthorized access to its network, beginning around May 14, 2024.
While the organization detected unusual activity in May of that year, it wasn’t until March 26, 2025, that they concluded an internal review confirming that personal and protected health data had been accessed and acquired by an unknown threat actor.
What Data Was Compromised?
The investigation, supported by third-party cybersecurity experts, found that a wide range of patient data may have been exposed, including:
- Full names
- Dates of birth
- Social Security numbers
- Medical record numbers
- Treatment and diagnosis information
- Health insurance details
- Medical histories
Cooper clarified that not every data element was compromised for every individual, but the presence of such sensitive information, particularly SSNs and medical histories, significantly increases the risk of identity theft, insurance fraud, and long-term privacy issues.
The Timeline Raises Red Flags
What stands out most in this incident is the extended timeline:
- May 2024: Cooper identifies suspicious network activity.
- March 2025: After a lengthy investigation, they confirm data exposure and begin notifying affected individuals.
This nearly 10-month gap between detection and confirmation highlights a crucial problem: delayed breach visibility, an issue that continues to plague healthcare systems operating on legacy infrastructure or without continuous threat monitoring.
Cooper maintains that no misuse of the data has been identified so far, but it’s a statement that offers little reassurance given the long time frame involved.
Key Takeaways for Healthcare Leaders:
- Early detection isn’t enough. Breach investigation timelines must be shortened through better visibility and forensic tools.
- PHI needs layered protection. Relying on perimeter defense alone is no longer viable.
- Transparency matters. Prompt patient notification is not only ethical but also required by law in many states.
- Proactive planning beats reactive damage control. Build your breach response protocol before you need it.
AI in Healthcare: Privacy, Cybersecurity & Compliance Risks You Can’t Ignore
As artificial intelligence continues to shape the future of healthcare, legal and cybersecurity experts are raising urgent questions about data privacy, regulatory compliance, and patient trust.
While hospitals and health systems are actively exploring the use of AI and machine learning in everything from diagnostics to administrative automation, many of the tech companies driving these innovations operate outside the traditional HIPAA framework. They are now finding themselves in unfamiliar legal territory.
Not All Health Tech Is HIPAA-Covered
Many companies offering AI-driven health and wellness tools have historically operated in loosely regulated or completely unregulated environments.
That’s changing quickly.
AI tools in consumer health — think wearables, fitness apps, telehealth platforms — aren’t always covered by HIPAA. Instead, they’re increasingly subject to state-level privacy laws that carry real legal weight.
These include:
- California Consumer Privacy Act (CCPA)
- Washington’s My Health, My Data Act
- Texas Data Privacy and Security Act
Each of these laws imposes strict rules on how sensitive health data, especially when combined with location data or other personal identifiers, can be collected, stored, and shared.
Geolocation + Health Data = High-Risk Category
One major concern is the rising use of geolocation data in AI-powered tools.
When this information is tied to a user’s health activity, such as tracking exercise, menstrual cycles, or medication schedules, it becomes a sensitive data category under many new state laws.
This patchwork of legislation creates complexity. Where your users are located matters. Your obligations may vary significantly depending on the state and that makes nationwide compliance especially tricky for healthcare-adjacent tech companies.
Key Risks for Healthcare Leaders Using AI
1. Customer Service & Administrative Use of AI
Chatbots and AI-driven scheduling tools often process protected health information (PHI). Without proper security controls, these tools can become breach vectors.
2. AI in Clinical Decision-Making
When AI influences diagnosis or treatment, any lack of transparency or explainability can create clinical and legal liabilities, especially if the models are trained on biased or incomplete datasets.
3. De-identified Data Isn’t Always Safe
Many organizations rely on de-identification to bypass privacy laws. However, in practice, AI systems can often re-identify individuals when datasets are cross-referenced, creating significant privacy risks and potential regulatory violations.
What Healthcare Organizations Should Do Now
To mitigate risk and prepare for the expanding regulatory landscape, healthcare executives and IT teams should:
- Conduct AI-specific risk assessments for any tools handling patient data.
- Ensure vendor compliance with all relevant federal and state privacy laws.
- Limit the use of geolocation data unless absolutely necessary — and protect it as you would PHI.
- Stay informed about evolving AI-related guidance from the FTC, HHS, and state attorneys general.
AI’s potential in healthcare is enormous but without guardrails, it can also introduce new threats to data security, regulatory compliance, and patient safety. Your organization’s ability to navigate AI risks will depend on how proactive you are today.
From operational disruptions to regulatory scrutiny, the cybersecurity landscape for healthcare is more complex than ever. But with the right insight, preparation, and guidance, your organization can protect both patient safety and business continuity.
Let Infoguard Security help you build the defenses you need.
Schedule a risk assessment today.
Click here to book a consultation with an Infoguard specialist.
Best regards,
