Cyber Security Solutions, Compliance, and Consulting Services - IT Security

We offer It security management, data, network, & Information security services for protecting information & mitigating security risks to your organization.

Healthcare Under Siege: 3 Major Data Breaches + the Rise of Bert Ransomware

healthcare-data-breaches

From ransomware attacks paralyzing hospitals to millions of patient records exposed, the healthcare sector is facing a sharp rise in cyber threats. In this issue, we break down the most recent breaches affecting over 6 million individuals and what your organization must do now to stay protected.

Over 100,000 Patients Affected in Mainline Health Systems Breach

A recent cyberattack on Mainline Health Systems has compromised the personal health information of more than 100,000 individuals, reinforcing the urgent need for stronger cyber resilience in community-based healthcare.

Mainline Health Systems, a nonprofit network of clinics serving Southeast Arkansas since 1978, disclosed that a security breach impacted its internal network in April 2024. 

After initiating a full investigation, including notifying federal authorities and hiring outside cybersecurity specialists, the organization confirmed on May 21, 2025, that sensitive files had been accessed by unauthorized actors.

The attackers behind this breach are believed to be linked to INC RANSOM, a known ransomware group active since 2023. This same threat group has been associated with high-profile attacks against NHS Scotland and Xerox, among others.

Although the organization took swift action following detection, the scale of the compromise underscores a troubling trend: increasingly, ransomware groups are targeting regional and nonprofit health networks that may lack enterprise-grade defenses.

Mainline’s breach highlights how even trusted, long-serving healthcare providers can become entry points for attackers seeking to exploit vulnerabilities in sprawling, multi-site operations.

McLaren Health Care Breach Exposes Data of Over 743,000 Patients

McLaren Health Care has confirmed yet another large-scale data breach, this time affecting more than 743,000 individuals, in what’s becoming a disturbing trend for major healthcare systems across the U.S.

The breach was detected on August 5, 2024, after suspicious activity was discovered within the systems of both McLaren and the Karmanos Cancer Institute. 

A forensic investigation later revealed unauthorized access had occurred between July 17 and August 3, 2024, giving cybercriminals a two-week window inside the network.

McLaren is a $6.6 billion nonprofit healthcare system operating 14 hospitals and serving hundreds of thousands of lives across Michigan and Indiana. It conducted an in-depth review of the affected systems and determined that highly sensitive personal and health data had been accessed.

Exposed information may include:

  • Full names
  • Social Security numbers
  • Driver’s license numbers
  • Medical records and treatment details
  • Health insurance information

In late 2023, McLaren disclosed a separate breach that compromised the information of over 2.1 million people. At the time, the INC RANSOM group claimed responsibility, with a ransom note discovered by staff at McLaren Bay Region Hospital. 

Shortly afterward, the ALPHV/BlackCat ransomware gang also listed McLaren as a victim on its dark web leak site, claiming to have exfiltrated 2.5 million patient records.

Despite ongoing remediation and security upgrades, McLaren’s repeated targeting reveals a persistent and aggressive interest from ransomware operators in high-value healthcare systems. 

It’s also a sobering reminder: without airtight security controls, even large, well-funded providers remain deeply vulnerable.

Episource Breach Exposes Health Data of Over 5.4 Million Individuals

Healthcare technology and services provider Episource is the latest target in a growing wave of cyberattacks against healthcare infrastructure. The company recently confirmed that a massive data breach has compromised the sensitive information of approximately 5.41 million people across its customer base.

Episource, known for providing medical coding, risk adjustment, and analytics services to health plans and providers, detected unauthorized access to its systems in early February 2025. 

The intrusion occurred between January 27 and February 6, during which a threat actor was able to view and exfiltrate protected health data from its systems.

Following detection, Episource took emergency actions:

  • Shut down systems to halt the intrusion
  • Engaged forensic investigators to determine the scope
  • Notified federal law enforcement
  • Began coordinated outreach to impacted healthcare clients

The compromised data includes a wide range of personally identifiable information (PII) and protected health information (PHI), such as:

  • Full names
  • Addresses
  • Email addresses
  • Phone numbers
  • Dates of birth
  • Social Security numbers
  • Health insurance details
  • Medical records and treatment information

Episource says it has found no evidence that the stolen data has been misused yet. Still, the scale and nature of the breach have triggered widespread concern. 

Sharp HealthCare, one of Episource’s clients, has already reported to the U.S. Department of Health and Human Services that more than 20,000 of its patients were affected.

Though unconfirmed, sources suggest this may have been a ransomware attack, though no threat actor group has publicly claimed responsibility as of now.

The Episource breach serves as another urgent reminder that third-party vendors and business associates often carry the same risks as core healthcare providers, and their vulnerabilities can directly impact millions of patients. 

Without robust third-party risk management, healthcare organizations are leaving the door wide open to exploitation.

Bert Ransomware: A Growing Threat to Healthcare Providers

A new ransomware variant known as Bert has emerged and it’s already making headlines for its data-theft capabilities and global victim list. Healthcare organizations, already high-value targets due to the sensitive nature of patient data, must take this threat seriously.

What Is Bert Ransomware?

Bert is an encryption-based ransomware strain that locks down files across compromised systems and then demands a ransom for their release. But Bert doesn’t stop at encryption. It also steals data and threatens to leak it unless victims pay up.

Once deployed, Bert appends infected files with the extension “.encryptedbybert”, renaming critical records like patient-record.pdf to patient-record.pdf.encryptedbybert. 

The group behind Bert also leaves behind a ransom note in each infected folder. It informs victims that their data has been encrypted and exfiltrated, and includes a link to contact the hackers through the Session messaging app.

Why Healthcare Organizations Should Be Concerned

The threat actors behind Bert have already claimed victims across industries worldwide, including hospitals. Their dark web leak site features names of affected organizations and provides download links for stolen data. This includes:

  • Medical and billing records
  • Employee and patient PII
  • Internal communications
  • Passport scans
  • Vaccine documentation

In the healthcare sector, this kind of exposure is a HIPAA violation waiting to happen.

And since no free decryption tool exists for Bert, organizations without clean backups are often left with no option but to pay or lose their data permanently.

How to Defend Against Bert and Other Ransomware Attacks

Bert’s techniques aren’t revolutionary, but they are relentless. Defending against it requires a layered cybersecurity strategy. 

Healthcare organizations should take the following steps immediately:

  1. Isolate backups and keep at least one copy offsite and immutable: Never store backups on the same network as production systems. Consider adopting the 3-2-1-1-0 backup strategy: 3 copies, 2 different media, 1 offsite, 1 immutable, and 0 errors.
  2. Stay current with security patches and vulnerability fixes: Many ransomware attacks exploit unpatched systems. Review patch management policies and timelines.
  3. Use strong authentication protocols: Implement multi-factor authentication (MFA) across all systems, especially for EHRs, admin panels, and remote access solutions.
  4. Encrypt patient and internal data at rest and in transit: Make it unusable even if exfiltrated.
  5. Segment your network: Prevent lateral movement by separating administrative, clinical, and backup environments.
  6. Train staff continuously: Healthcare employees are frequent phishing targets. Conduct monthly training sessions, run simulations, and raise awareness about how attackers trick users into downloading ransomware.
  7. Vet third-party vendors carefully: Ensure that partners, contractors, and managed service providers follow your cybersecurity standards. Ransomware often enters through insecure vendor networks.

Bert is just one example of how ransomware continues to evolve and why healthcare systems can’t afford to stay reactive. Prevention, preparation, and rapid response are key to minimizing damage and protecting both your operations and your patients’ trust.

Cybercriminals are getting smarter and faster. But with the right defenses in place, your organization can stay resilient. If these stories show us anything, it’s that cyber hygiene can’t wait until after a breach.

Explore how Infoguard Cybersecurity protects hospitals, clinics, and healthcare systems against modern ransomware threats.

Share this newsletter with your IT or compliance team today.

Best regards,

The Infoguard Cybersecurity Team