It is no secret that the healthcare industry is a target for hackers. Hundreds of companies experience cybersecurity incidents every year.
Before the 2024 healthcare cyberattacks and cloud strike halts, massive attacks at Anthem, Carefirst Bluecross BlueShield and UCLA Health Systems nearly a decade ago sparked the industry. This trend has been wake-up calls for providers increasingly using electronic health records but probably not incorporating sufficient protection to keep patient data safe online.
Cyberattacks are not invasive to patients. They are also very costly. In fact, last year, IBM reported that healthcare data breaches cost an average of $9.8 million per incident.
These attacks were industry-wide lessons in 2015, and experts spoke with Healthcare Brew about how their approach to cybersecurity has changed.
“The only thing that really moves needles in cybersecurity is the prominent attacks,” said cybersecurity expert Mark Stockley.
Looking back at the attack
The first violation began in February 2014, but was not disclosed until about a year later, when the Health Plan announced that the hacker had stolen personal information, including his name, health identification number, date of birth, Social Security number, telephone number, email address, employment and income information.
The hack was reportedly discovered by a database administrator, according to the California Department of Insurance. The company said the database was closed in January 2015 shortly after its discovery, and staff changed their passwords. The company paid at least $180 million until 2020 to resolve lawsuits related to the case.
Soon in June 2014, Bluecross Blueshield Company, CareFirst, experienced a cyberattack that exposed a “single database” related to the company's website and online services. In May 2015, the company announced that hackers had stole personal information about their 1.1 million members and business associates.
In May 2015, UCLA Health confirmed that it had already been hit by a suspected cyberattack in October 2014, Tech News site TechTarget reported. The attack affected 4.5 million patients. Data such as name, Social Security Number and medical information have been stolen, and UCLA Health paid a $7.5 million settlement in March 2019 for failing to report a violation early under the HIPAA Privacy Rules.
None of these companies provided comments on the attack.
Lessons learned
Part of the issue of the national anthem attack, in particular, was that the company had not encrypted personal information. Leeann Nicolo said he is the incident response lead at Coalition, a cybersecurity insurance company that is also working to recover from the national anthem attack. Encryption changes data and information into code, making it difficult for hackers to determine the meaning.
In 2015, encryption and multifactorial authentication (MFA) was not the norm it is today, she added. (Some companies do not yet have MFA requirements, as seen in change cyberattacks).
“The violation was a wake-up call that revealed how vulnerable this data was,” she said, adding that she remembers she is ready for the hack and thinks healthcare is behind other industries.
Healthcare Brew covers drug development, health startups, the latest technologies, and how it will impact hospitals and providers and keep administrators and providers informed.
Cyberattacks on the healthcare industry are on the rise. A 2025 data breaches report from Verizon found that the industry had seen 1,710 security incidents between November 1, 2023 and October 31, 2024. This is up from 1,378 security incidents the previous year.
Since 2015, Nicolo said there has been a “significant” increase in threat detection budgets and investments in security operations centers and endpoint detection and response tools.
In a survey of 273 health cybersecurity experts by the Healthcare Information and Management Systems Association, 52% of respondents say their organization will “increase” their IT budgets from 2024 to 2025.
The attacks have established other norms, such as Remote Desktop Protocol for people working outside the office, and other robust offline backups, a secondary safe place for data stored in emergencies. There was also a push to shift cybersecurity from less IT concerns to “strategic board-level risk,” Nicolo said.
“[The executives]started planning their plans financially. They put people on the people that were the only role,” she said.
There is also more awareness of phishing attacks than today, compared to 10 years ago, and users are being fooled to provide personal information, Nicolo said. However, she said these attacks have become “more refined” and employ methods such as using token theft, or tactics to get MFA information to access the accounts.
The regulations have created more protections for healthcare data, including stricter enforcement and fines from HIPAA and FDA, as well as state privacy laws such as the California Consumer Privacy Act of 2018.
“There are regulations with more teeth,” said Nadya Bartol, managing director of consulting firm BCG Platinion.
I'm looking forward to it
The industry has learned a few lessons, but this remains a continuous cycle. New technologies emerge as quickly as possible to bring their competitors to the market, but as a result, they sacrifice cybersecurity along the way.
When an inevitable attack appears and sensitive data that is not properly protected is compromised, new regulations will be drafted and safety protocols will be adopted, Bartl said.
“We need to learn to move faster and not break things,” Bartl said.
One area that requires more scrutiny is the use of third-party vendors, Nicolo said, as some companies assume these groups cover security. It is important to review your suppliers, to ensure that you have the proper security, staffing, training and your system is up to date.
Additional regulations may be coming to the industry. The Healthcare Cybersecurity Act was introduced in Congress in June, and the federal Agency for Cybersecurity and Infrastructure Security and the Department of Health and Human Services will need to work together to study cyber risks to the healthcare industry.
Meanwhile, attacks continue to be more advanced.
“Maybe if you don't take responsibility, you'll suffer from consequences.
