From ransomware hitting hospitals in Ohio and New England to leaked patient records and a new federal cybersecurity bill, 2025 is proving just how vulnerable the healthcare sector remains. These latest attacks and policy shifts are urgent warnings for every hospital, clinic, and care facility in the U.S.
____________________________________________________________________________
How a Cyberattack Hit Multiple Hospitals in the US
A cyberattack hit three hospitals operated by Covenant Health on May 26, 2025. Systems were shut down immediately to contain the incident. At this point, it’s still unclear whether ransomware was used or if data was stolen.
St. Mary’s and St. Joseph’s hospitals, both part of the network, posted public notices about “temporary system issues.”
Phones and documentation systems were affected. Lab services were limited to the main campus, and only with a printed order. That wasn’t ideal, but care continued as best they could.
Covenant Health runs multiple facilities across New England, including hospitals, nursing homes, and elder care centers. This attack impacted their full network, from hospitals to outpatient clinics.
Patients were told to keep appointments. Some delays? Yes. Full shutdown? No. Staff was working through it using manual processes where needed.
That said, 2025 is already shaping up to be another rough year for healthcare cybersecurity.
Earlier this year, RansomHouse claimed responsibility for breaching Loretto Hospital in Chicago, stealing an estimated 1.5TB of data. Then, Interlock took credit for hitting DaVita, a major dialysis provider. Data leaks followed.
In 2024 alone, ransomware attacks on U.S. healthcare providers spiked.
There were 98 separate incidents that compromised a combined 117 million patient records. Big names like Change Healthcare (100M records), Summit Pathology, OnePoint Patient Care, and Boston Children’s Health Physicians all made headlines.
The reality is this: healthcare remains a top target. Attackers know systems are complex, response timelines are tight, and downtime directly impacts care. That pressure makes organizations more likely to pay ransoms, even if they say they won’t.
Now, you might be wondering: what does this mean for your organization?
First, assume you’re on the radar. Second, make sure your defenses are tested, patched, and backed up, especially before an incident hits. Third, don’t wait until you’re under attack to ask questions about response plans or recovery steps.
We can’t stress this enough: preparation matters.
And that’s not all; having a solid incident response plan is table stakes. Whether it’s ransomware, phishing, or insider threats, you need visibility, control, and a way to respond fast without panic.
____________________________________________________________________________
Ohio-Based Health Network Struggles to Recover After Ransomware Gang Claims Massive Data Breach
A major ransomware attack on Kettering Health, one of Ohio’s largest healthcare systems, has exposed the ongoing vulnerabilities faced by medical organizations across the U.S.
Two weeks after the incident forced a system-wide shutdown, a cybercriminal group calling itself Interlock has claimed responsibility, along with the theft of nearly a terabyte of sensitive data.
The attack, which occurred in mid-May 2025, disrupted hospital operations, delayed patient care, and knocked key systems offline across Kettering’s network of hospitals, clinics, and outpatient centers.
While systems are gradually being restored, the fallout is far from over.
Who Is Interlock—and Why Healthcare?
Interlock, a relatively new ransomware group that emerged in late 2024, has rapidly shifted its focus to the healthcare sector.
The group initially stayed quiet following the breach, but has now published evidence of the stolen data on the dark web, which is likely a sign that ransom negotiations fell apart or were never entertained.
Kettering Health has stated publicly that it will not pay ransom demands, a stance consistent with federal guidance. Still, the consequences of that decision are becoming clearer as leaked data begins circulating online.
What Was Stolen?
According to files released by Interlock, the data breach affected both patient and employee information:
- Patient data included full names, medical histories, medications, mental health records, and identification numbers.
- Employee files were also compromised, particularly from shared network drives and internal departments.
- In-house police department documents reportedly exposed sensitive law enforcement records such as background checks, polygraph results, and PII of security personnel, a development raising red flags about staff safety and privacy.
While the full scope of the damage is still under investigation, this incident highlights how deeply ransomware actors can penetrate critical infrastructure when systems are unprepared or under-protected.
In a following update, Kettering Health confirmed that its electronic health record (EHR) system, powered by Epic, was restored. This marked a critical step toward normalizing operations, allowing medical teams to access patient charts, coordinate treatments, and streamline internal communications.
But restoring functionality doesn’t undo the damage already done. With over 940 GB of sensitive files potentially compromised, patients and staff are now left to wonder what might happen next and what information could surface online.
Lessons for the Healthcare Sector
This breach is yet another reminder that healthcare organizations remain top targets for ransomware groups, especially those who view hospitals as high-pressure victims more likely to pay up.
____________________________________________________________________________
New Healthcare Cybersecurity Legislation Targets Frontline Defenses—But Is It Enough?
As ransomware continues to paralyze hospitals and patient data leaks make headlines, U.S. lawmakers are pushing forward with a new legislative effort to boost cybersecurity across the healthcare sector.
Introduced with bipartisan support, the Healthcare Cybersecurity Act of 2025 aims to strengthen cyber defenses for providers and reduce the number of Americans caught in the fallout of these increasingly frequent attacks.
But while the bill has a clear intent, some experts are asking: Does it go far enough to match the scale of today’s threats?
A Rising Tide of Cyberattacks on Healthcare
According to data cited by Congressman Brian Fitzpatrick (R-PA), over 46 million Americans had their medical records exposed in breaches just a few years ago and that number has only grown.
These attacks have forced hospitals to cancel surgeries, delay critical care, and expose deeply personal health information, including mental health notes and prescription histories, to bad actors on the dark web.
His remarks come just weeks after two major incidents rocked the industry:
- A ransomware attack on Kettering Health in Ohio that crippled hospital systems and exposed sensitive data
- A data privacy failure at Kaiser Permanente in California tied to third-party trackers, affecting millions
Together, those breaches impacted over 13 million individuals, a stark reminder that healthcare remains one of the most vulnerable sectors in the U.S.
What the Healthcare Cybersecurity Act Proposes
The Healthcare Cybersecurity Act of 2025 lays out a federal framework to support providers before, during, and after an attack. Key provisions include:
- Joint threat coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS)
- A dedicated liaison role to improve real-time communication, incident response, and cyber threat analysis between the two agencies
- Expanded cybersecurity training for healthcare workers, including frontline clinicians and admin teams
- A full sector-wide review of systemic vulnerabilities, aimed at identifying weak links and closing critical gaps
Why Healthcare Needs More Than Reactive Policies
The bill reflects a growing awareness that healthcare organizations, especially small and mid-sized systems, need federal help to keep pace with evolving cyber threats.
Unlike financial institutions or tech giants, most hospitals don’t have large-scale security teams or budgets. And with ransomware gangs specifically targeting healthcare because of its urgency and complexity, the stakes are especially high.
Security professionals have cautiously welcomed the bill but warn that legislation alone won’t be enough.
Stronger enforcement of existing rules like HIPAA, faster funding for infrastructure upgrades, and public-private threat intelligence sharing are also critical if the healthcare sector is to truly improve its resilience.
The Bottom Line
The Healthcare Cybersecurity Act of 2025 is a step in the right direction and a signal that Washington is finally paying attention to the cybersecurity crisis unfolding in American healthcare.
But for hospital leaders and IT teams on the front lines, the real test will be how quickly support reaches them, and whether it’s enough to stop the next breach before it begins.
____________________________________________________________________________
Smarter, Faster, Safer: How Threat Intelligence Is Transforming Healthcare SOCs
As cyberattacks on healthcare systems grow more frequent and sophisticated, the mission of your Security Operations Center (SOC) is no longer just to respond to threats but also to stay ahead of them.
That’s why integrating Cyber Threat Intelligence (CTI) into healthcare SOC workflows is quickly becoming the new standard for proactive defense.
From ransomware to data extortion to attacks targeting patient safety systems, the stakes are simply too high to rely on traditional detection methods alone. Integrating actionable threat intel can drastically improve how your security team identifies, prioritizes, and neutralizes attacks.
Why Threat Intelligence Is Critical for Healthcare SOCs
In a sector where human lives depend on digital uptime, the value of threat intelligence is clear: it helps healthcare SOCs predict attacks before they cause harm.
Analyzing attacker behaviors, such as indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), can help your team spot patterns that point to emerging threats.
Frameworks like MITRE ATT&CK have become invaluable for mapping adversary activity and simulating attack scenarios.
When CTI is integrated with Security Information and Event Management (SIEM) systems, it sharpens visibility and drastically cuts down dwell time, the window of opportunity attackers have before they’re detected.
In fact, healthcare organizations that use threat intel this way have seen a 78% reduction in undetected intrusions, according to industry research.
Accelerating Incident Response With Automation
For hospitals juggling high patient volumes and strained IT staff, every second counts during an incident. That’s where Security Orchestration, Automation, and Response (SOAR) platforms come in.
When threat intelligence is baked into SOAR playbooks, routine attacks like credential phishing or ransomware payloads can be identified and blocked in seconds instead of hours.
In one real-world example, a regional health network used automated IOC blocklisting to stop a phishing campaign linked to a known threat actor group targeting the healthcare sector. Without human intervention, malicious domains were blacklisted and firewall rules were updated across the network before a single endpoint was compromised.
Healthcare-Driven Threat Intelligence Sharing
One of the most effective (and often underutilized) tools in your cybersecurity toolkit is threat intelligence sharing.
Many hospitals are members of the Health Information Sharing and Analysis Center (H-ISAC), which provides real-time alerts, curated intelligence feeds, and community-driven threat research.
These partnerships aren’t just theoretical.
In a recent case, H-ISAC members shared early indicators of a ransomware campaign targeting hospital scheduling systems. That intel helped multiple health systems preemptively block related infrastructure, averting a chain reaction of system outages.
Going on the Offensive: Intelligence-Led Threat Hunting
Advanced healthcare SOCs are no longer waiting for alerts to trigger action. Instead, they’re proactively hunting threats based on intelligence-led hypotheses.
This could mean monitoring dark web chatter for mentions of healthcare supply vendors, or cross-referencing TTPs of known ransomware groups with your environment’s vulnerabilities.
For example, a hospital’s internal security team recently discovered that one of its imaging software vendors had been flagged in dark web forums. Further investigation revealed backdoor access in legacy systems, stopping a supply chain attack before it reached the clinical floor.
Quarterly purple team exercises, where defenders (blue teams) face off against simulated attackers (red teams), are also helping healthcare SOCs assess readiness for advanced persistent threats (APTs).
The Future: AI-Driven Intelligence and Cross-Border Defense
Looking ahead, artificial intelligence is poised to become a force multiplier for healthcare cybersecurity.
Natural language processing (NLP) can now scan unstructured threat feeds like forums, breach disclosures, or dark web posts and extract actionable data.
Some healthcare SOCs are using these tools to automatically generate detection rules for their SIEMs, reducing response time from days to minutes.
And as attacks grow more global, collaborative defense is no longer optional.
Initiatives like INTERPOL’s Global Cybercrime Program have shown the power of international cooperation. A recent joint operation involving 12 countries dismantled a botnet that had been siphoning millions from hospitals and insurers across the globe.
____________________________________________________________________________
The message is loud and clear: malicious actors are intensifying their offense against the US healthcare sector. Whether it’s operational shutdowns, stolen medical data, or lagging legislation, the cost of being unprepared has never been higher.
Worried about your organization’s cyber readiness?
Explore how Infoguard Cybersecurity can help you stay ahead of threats with tailored protection for healthcare systems.
If you found this update helpful, don’t forget to forward it to a colleague or healthcare partner who needs to see it.
Best regards,
