From sophisticated malware attacks to major breaches and costly HIPAA violations, the threats facing hospitals, labs, and medical practices are growing more complex and more dangerous.
In this issue of the Infoguard Security newsletter, we’re breaking down three major incidents making headlines:
- A targeted malware campaign aiming to infiltrate healthcare systems
- A lab breach impacting 1.6 million Planned Parenthood patients
- A $350,000 HIPAA settlement over risk analysis failures
New Malware Campaign Targeting Healthcare: What You Need to Know About ResolverRAT
Cybercriminals are once again setting their sights on healthcare and pharmaceutical organizations, and this time, they’re using a new remote access trojan (RAT) called ResolverRAT.
This advanced malware campaign is making its rounds through phishing emails and DLL side-loading techniques and it’s already been spotted as recently as March 10, 2025.
Who’s Being Targeted—and How
The primary targets? Healthcare and pharmaceutical sectors.
Attackers are relying on high-pressure phishing emails that create a false sense of urgency, often with themes tied to legal issues or copyright violations. These fear-based messages prompt recipients to click a malicious link, which kicks off the infection chain.
What makes this campaign particularly dangerous is its localization strategy. The phishing emails are written in various native languages, such as Hindi, Turkish, Portuguese, Czech, Italian, and Indonesian, to increase the likelihood of success across different regions.
How ResolverRAT Infects Systems
Once the user clicks the link, a file is downloaded that triggers a multi-stage infection process. It starts with DLL side-loading, a technique that loads a malicious DLL in place of a legitimate one.
Then, an in-memory loader decrypts and runs the main payload, keeping it entirely in memory to avoid detection.
ResolverRAT doesn’t stop there. It incorporates multiple layers of stealth:
- Fileless execution (runs in memory)
- Encryption and compression to obfuscate code
- Certificate-based authentication to contact its command-and-control (C2) server while bypassing system checks
- IP rotation to ensure continued communication even if a C2 server is blocked or taken down
The malware also installs itself in multiple system locations and uses the Windows Registry for redundancy, making it extremely difficult to fully remove.
Evasion Techniques That Keep It Hidden
ResolverRAT’s infrastructure is designed with resilience in mind. It uses advanced methods such as:
- Certificate pinning to prevent interception
- Source code obfuscation
- Irregular communication patterns with its C2 server
These features allow the malware to maintain persistent access without triggering traditional security alerts.
What the Malware Does Once It’s In
Once it establishes a foothold, ResolverRAT listens for commands from its C2 server and sends back stolen data. To avoid detection, it breaks down any files over 1MB into tiny 16KB pieces before exfiltrating them.
While researchers haven’t officially linked this campaign to a known threat group, the techniques and infrastructure closely resemble earlier phishing attacks that delivered malware like Lumma and Rhadamanthys. This points to the possibility of a shared threat actor or affiliate network behind the campaign.
Also on the Radar: Neptune RAT
In a separate but equally troubling development, a new RAT called Neptune RAT is making the rounds online. Distributed through platforms like GitHub, Telegram, and YouTube, this malware is packed with features that allow it to:
- Steal passwords from over 270 apps
- Act as a crypto clipper
- Demand ransom payments
- Overwrite the Master Boot Record (MBR)
- Monitor victims’ desktops in real time
Although the GitHub profile hosting it has been taken down, the malware’s capabilities—and its use of modular plugins—make it a serious and ongoing threat.
What This Means for Healthcare Security Teams
ResolverRAT and Neptune RAT both signal a shift toward more sophisticated, multi-layered attacks specifically targeting critical sectors like healthcare. These threats are designed to remain hidden, steal data, and maintain long-term access.
Infoguard Security strongly recommends the following steps for healthcare organizations:
- Conduct regular phishing simulations and training
- Monitor for abnormal network behavior, especially irregular traffic patterns
- Implement endpoint detection and response (EDR) solutions
- Limit administrative privileges and monitor DLL loads
- Ensure software and security tools are up to date
1.6 Million Affected: Data Breach at Medical Lab Serving Planned Parenthood Clinics
A major cybersecurity incident has shaken the healthcare sector, this time impacting Laboratory Services Cooperative (LSC), a medical lab that works with Planned Parenthood clinics across 31 states and Washington, D.C.
In a disclosure made to regulators, the lab confirmed that 1.6 million patients, employees, and payers have been affected by a data breach stemming from an October 2024 cyberattack.
The breach involved the unauthorized access and exfiltration of sensitive personal, medical, and financial information, raising serious concerns around data privacy, patient safety, and regulatory compliance.
Who Was Affected—and How?
LSC, a nonprofit lab based in Seattle, offers diagnostic testing for many Planned Parenthood clinics, including support for both in-person and telehealth services.
The breach could impact:
- Patients
- Planned Parenthood employees
- Third parties who paid for healthcare services on behalf of someone else
In response, LSC is offering 12 to 24 months of complimentary identity and credit monitoring, depending on the state of residence. The organization has also set up a dedicated call center to help individuals confirm whether their clinic partners with LSC.
What We Know About the Breach
The cyberattack was first detected on October 27, 2024, after suspicious activity was noticed within LSC’s network. Immediate steps were taken to investigate, including bringing in third-party cybersecurity specialists and notifying federal law enforcement.
The investigation revealed that hackers had gained access to parts of LSC’s network and removed files containing protected data. While no evidence has yet been found of this data appearing on the dark web, monitoring efforts are ongoing.
The data that may have been compromised is extensive and varies by individual, potentially including:
- Full name, address, phone number, email
- Medical history such as diagnoses, treatment details, provider names, lab results, and more
- Insurance and payment details, including bank account numbers, routing numbers, and payment card data
- Highly sensitive identifiers, such as Social Security numbers, driver’s license numbers, passport numbers, dates of birth, and even student IDs
- Employee information, including dependent and beneficiary data
Regulatory and Legal Implications
Rachel Rose, a regulatory attorney, pointed out that this breach may potentially violate the HIPAA Privacy Rule for Reproductive Health Care, especially after the Department of Health and Human Services (HHS) introduced new protections for reproductive health data disclosures in 2023.
However, several states with abortion bans are actively challenging those rules in court.
Rose warned that organizations must ensure annual risk assessments are being conducted and that staff fully understand the legal and technical definitions around reproductive health protections.
Key Takeaways for Healthcare Leaders
The LSC breach is a stark reminder of what’s at stake for healthcare organizations, especially those handling sensitive reproductive data.
Infoguard Security urges healthcare providers to take the following steps:
- Review vendor relationships and data handling practices
- Ensure full compliance with HIPAA’s updated reproductive health protections
- Conduct risk assessments focused on both privacy and data integrity
- Audit and validate lab equipment and medical device functionality post-incident
- Deploy real-time monitoring solutions that can detect suspicious activity early
Radiology Practice Fined $350K After HIPAA Failures Led to Data Breach
In a recent HIPAA enforcement action, the U.S. Department of Health and Human Services (HHS) announced a $350,000 settlement with Northeast Radiology, P.C. (NERAD), a medical imaging group operating in New York and Connecticut.
The fine stems from a 2020 hacking incident that exposed the personal health information of nearly 300,000 patients.
But the fine isn’t the only consequence. NERAD must also implement a two-year corrective action plan, which includes strict oversight from federal regulators and a complete overhaul of its security risk analysis procedures.
What Happened?
The breach first came to light in March 2020, when NERAD reported that unauthorized individuals had accessed radiology images stored on their Picture Archiving and Communication System (PACS).
The unauthorized access reportedly took place over a period of nine months, from April 2019 to January 2020.
According to HHS’ Office for Civil Rights (OCR), the compromised server left the records of 298,532 patients exposed.
OCR’s investigation revealed that NERAD had failed to conduct a proper security risk analysis, a fundamental requirement under the HIPAA Security Rule.
The organization had no accurate inventory of systems storing electronic protected health information (ePHI), leaving significant blind spots in their threat detection and mitigation capabilities.
This enforcement action marks the sixth such settlement tied to OCR’s ongoing risk analysis compliance initiative, which zeroes in on healthcare entities that have not properly assessed the vulnerabilities in their systems.
What NERAD Must Now Do
Under the terms of the agreement, NERAD is required to:
- Conduct a comprehensive, organization-wide risk analysis covering all systems, devices, applications, and storage locations that handle ePHI.
- Send the risk assessment report to HHS OCR for approval. The agency will review it and require revisions if needed. This process will continue until OCR is satisfied.
- Review and update the risk analysis annually, or any time the organization undergoes significant operational or environmental changes.
- Create and implement a formal risk management plan based on the findings of the risk analysis.
- Undergo two years of federal monitoring to ensure the plan is executed and maintained properly.
Action Items for Healthcare Cybersecurity Teams
If your organization handles medical images or operates a PACS server, now is the time to revisit your own security practices. Start with the basics:
- Conduct a risk analysis that’s complete and documented
- Build and maintain a detailed inventory of systems storing ePHI
- Check your access controls, review audit logs, and verify your network segmentation
- Implement a formal, written risk management plan
- Make risk analysis and review an annual process, not a one-off task
The bottom line?
With rising cyber risks, healthcare organizations need to act before threats turn into breaches. As the stories above show, cybercriminals are getting bolder, and regulatory scrutiny is tightening.
At Infoguard Security, we help hospitals, labs, and clinics stay a step ahead with tailored solutions that protect patient data, ensure compliance, and build long-term resilience.
Stay informed. Stay protected.
Visit Infoguard Security to learn how we can help secure your organization.
If you found this newsletter helpful, share it with your team or a colleague in the healthcare space because cybersecurity is a team effort.
Best regards,
