New Healthcare Threat Research Reveals Breaches and Ransomware Still a Problem in the Sector

By Douglas McKee

Healthcare is undeniably a data-driven industry, holding vast amounts of sensitive personal and medical information—like social security numbers, medical histories, and financial records—which makes it an attractive target for exploitation. This data is highly valuable on the black market. In 2024 alone, more than 14 million individuals were impacted by data breaches resulting from malware aimed at the U.S. healthcare sector. The widespread adoption of digital tools, AI, and platforms during and after the COVID-19 pandemic has further expanded the vulnerabilities of healthcare organizations. Our data shows a marked increase in ransomware attacks against the healthcare industry since 2022.

Ransomware: The Leading Threat to Healthcare

Healthcare organizations have become prime targets for ransomware due to their critical functions and the potential for significant financial gain. Disruptions to patient data access or medical systems can result in life-threatening situations, making these organizations more likely to pay ransoms to resume operations swiftly. In 2024, ransomware was responsible for 91% of malware-related data breaches in the healthcare sector, with Lockbit standing out as one of the most notorious ransomware groups targeting this industry. Lockbit took credit for breaches involving LivaNova, a medical device manufacturer affecting over 180,000 U.S. patients, and Panorama Eyecare, impacting nearly 400,000 individuals.

Another major player, BlackCat (ALPHV), was involved in the Change Healthcare data breach, where a ransom of $22 million was paid under false pretenses, only for another group, RansomHub, to issue a second ransom demand. Both Lockbit and BlackCat (ALPHV) use a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out attacks in exchange for a share of the ransom payments. This structure allows even those with limited technical skills to conduct highly sophisticated ransomware attacks, increasing both the frequency and scale of these incidents.

Vulnerabilities and Attack Vectors in Healthcare

The growing integration of digital systems—such as electronic health records, telemedicine platforms, and Internet of Medical Things (IoMT) devices—has opened multiple avenues for cyberattacks. For instance, the Cl0p Ransomware group exploited a zero-day vulnerability in MOVEit (CVE-2023-34362), a secure file transfer application, by injecting SQL commands to gain access to customer databases. This breach exposed sensitive healthcare information, including treatment plans, from CareSource, a non-profit managing Medicaid, Medicare, and Marketplace programs.

Healthcare workers, whose primary focus is patient care, are often vulnerable to phishing and social engineering attacks. Cybercriminals take advantage of this by launching targeted campaigns that trick employees into disclosing credentials or downloading malware, as demonstrated in the 2024 breach of the Los Angeles County Department of Mental Health.

Critical Vulnerabilities Exploited in Healthcare

In 2024, ransomware groups targeting the healthcare sector have exploited several critical vulnerabilities, primarily leveraging well-known flaws to infiltrate networks, escalate privileges, and deploying ransomware. According to our data, approximately 60% of the vulnerabilities exploited by threat actors in healthcare targeted Microsoft Exchange.

Microsoft Exchange Server Vulnerabilities

Many attacks have centered on Microsoft Exchange Server, a widely used communication platform in the healthcare industry:

  • ProxyShell Exploit Chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207): Used to gain unauthorized access to servers, escalate privileges, and deploy ransomware.
  • ProxyLogon Vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065): These include a server-side request forgery (SSRF) flaw and multiple post-authentication arbitrary file write vulnerabilities, allowing attackers to impersonate the Exchange server, access email accounts, and write files to any server location.

Groups like BlackCat (ALPHV) have heavily exploited these vulnerabilities, often chaining them together to maintain persistence and amplify their impact on healthcare organizations.

Our Managed Security Services (MSS) team identifies insufficient patching as the leading cause of Microsoft Exchange server compromises. We frequently observe organizations engaging in “reactive patching,” where they patch against major threats but fail to keep their servers consistently updated. This leaves critical vulnerabilities unaddressed, increasing the risk of exploitation.

Other Significant Vulnerabilities

BlackCat/ALPHV and other ransomware groups have also targeted additional vulnerabilities to broaden their attack surface:

  • CVE-2023-27350: Affects PaperCut servers, used to compromise networked systems.
  • CVE-2023-4966: Known as the Citrix Bleed vulnerability, which poses a significant threat to organizations relying on Citrix for remote access which is common in healthcare.
  • CVE-2016-0099: An older Microsoft Windows vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol, which allows attackers to gain elevated privileges.

Protecting Healthcare Organizations

To safeguard against cyber threats, healthcare organizations must adopt a comprehensive, multi-layered cybersecurity approach, emphasizing regular updates, robust access controls, and continuous monitoring:

  • Regular updates and patch management: Keeping operating systems, applications, and security tools up to date is essential for applying the latest security patches. For instance, vulnerabilities like ProxyShell and ProxyLogon in Microsoft Exchange Server were exploited because many organizations delayed patching.
  • Strong access controls and authentication protocols: Implementing multi-factor authentication (MFA) reduces the risk of unauthorized access from compromised credentials. Using technologies such as Zero-Trust Network Access (ZTNA) and secure SD-WAN further ensure that only authorized individuals can access sensitive healthcare systems, significantly lowering the risk of attacks.
  • Continuous monitoring: Round-the-clock, 24x7x365 monitoring is crucial for healthcare organizations to detect and respond to cyber threats in real-time. With healthcare systems constantly under threat, continuous monitoring allows for the rapid identification and mitigation of suspicious activities before they evolve into major incidents, minimizing the likelihood of data breaches and service disruptions.

As cyber threats targeting the healthcare sector continue to escalate, the need for a proactive and multi-layered defense strategy has never been more critical. Healthcare organizations must remain vigilant by ensuring regular patching, implementing robust access controls, and maintaining continuous monitoring to detect and respond to threats in real-time. The healthcare industry’s growing reliance on digital systems, combined with the highly sensitive nature of the data it handles, makes it an attractive target for ransomware groups and cybercriminals. By adopting comprehensive security measures and fostering a culture of cybersecurity awareness, healthcare organizations can better protect patient data, safeguard critical operations, and minimize the impact of future attacks.

Image credit: ivlianna, AdobeStock

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Douglas McKee

Douglas McKee is the Executive Director of Threat Research at SonicWall, where he and his team focus on identifying, analyzing and mitigating critical vulnerabilities through daily product content. Douglas has deep technical expertise acquired through involvement in application and system security testing, hardware and software vulnerability research, malware analysis, forensics, penetration testing, red team exercises, protocol analysis, application development, and risk mitigation activities. He is also the lead author and instructor for SANS SEC568: Product Security Penetration Testing - Safeguarding Supply Chains and Managing Third-Party Risk. Doug is a regular speaker at industry conferences such as DEF CON, Blackhat, Hardware.IO and RSA, and in his career has provided software training to many audiences, including law enforcement. You can connect with Douglas via LinkedIn: https://www.linkedin.com/in/douglas-mckee-77460677/