CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Why Smaller Healthcare Providers Remain Easy Targets

Data Breach Today Archived May 21, 2026 ✓ Full text saved

Recent Hacks Underscore Persistent and Growing Threats to Smaller Organizations Small and mid-sized healthcare organizations - including medical specialty practices and regional clinics - continue to fall victim disproportionately to hacking incidents, including ransomware attacks and data thefts - affecting large populations of patients. Why does this keep happening?

Full text archived locally
✦ AI Summary · Claude Sonnet


    HIPAA/HITECH , Incident & Breach Response , Security Operations Why Smaller Healthcare Providers Remain Easy Targets Recent Hacks Underscore Persistent and Growing Threats to Smaller Organizations Marianne Kolbasuk McGee (HealthInfoSec) • May 20, 2026     Share Post Share Credit Eligible Get Permission Small and mid-sized healthcare organizations continue to fall victim disproportionately to hacking incidents, including ransomware attacks and data thefts - affecting large populations of patients. See Also: Cloud Security in Healthcare: Shifting from Reactive to Proactive Strategies Eight recently reported hacking incidents by smaller medical practices affected nearly 2 million individuals, with single breaches ranging from about 100,000 to nearly 600,000 individuals. The victims span a broad range of medical specialties and geographic regions. The victims include Coastal Carolina Health Care in North Carolina, with a hack affecting 110,304 individuals, to Erie Family Health Centers in Pennsylvania, with an incident affecting 570,000 patients, with an assortment of many other types of smaller organizations in-between. While the pattern of hacks posted in recent weeks on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches is not new, it is increasingly troubling. The trend aligns closely with findings in Verizon’s latest annual breach analysis, which found that healthcare overall remains a prime cyberattack target, with smaller organizations appearing especially vulnerable (see: Verizon Breach Report: Vulnerability Exploitation Surges). Of the 1,492 healthcare security incidents in 2025 that Verizon identified, smaller entities employing up to a thousand workers were the predominately identified victim, with 472 incidents. Larger organizations figured in just 21 incidents. The focus by cybercriminals on smaller healthcare providers can be explained beyond the fact that there are more of them and that these organizations tend to have a reduced capability to support critical cybersecurity controls, said Mike Hamilton, CISO emeritus at IT provider Datec Inc. "There has been an increase in the number of threat actors, facilitated by cybercrime 'affiliate' models; more actors are out shopping for victims - and small healthcare facilities are considered low-hanging fruit that are likely to pay extortion demands because of their criticality," said Hamilton, former CISO for the city of Seattle. The interconnected nature of the healthcare system also works to hackers' advantage. "There is no such thing as an isolated healthcare breach," said Skip Sorrels, field CISO and CTO of security firm Claroty. "The healthcare ecosystem is deeply digital, interconnected and co-dependent. A regional specialty clinic or a mid-sized provider is often the trusted backend node to a larger health network, insurance clearinghouse, or pharmacy chain," he said. "If we don't secure the weakest links in the medical supply chain, the blast radius of these breaches will only continue to expand." Many of the breach notices involving the recent healthcare hacks reported to federal regulators state that patient data - from names, Social Security numbers, medical information and more - was determined to be "accessed or acquired" during investigations into incidents involving "unusual activity" that disrupted access or operations of certain IT systems. In the healthcare incidents Verizon examined for its report, "financial" was identified as the threat actors' motive for the vast majority of the hacks, followed by espionage. "Espionage is likely focused on research, which would limit the type of facility targeted," Hamilton said. "Patentable drugs, cancer treatments, etc. would be in scope, as would the nation's readiness to respond to another pandemic or other public health emergency." The latter type of information might be used in military planning - and valuable to nation states, he said. The top initial access vectors in healthcare incidents identified by Verizon included exploitation of vulnerabilities, phishing and credential abuse. Many of the vulnerability exploitation incidents in healthcare involved third parties, such as in the Oracle E-Business Suite vulnerability (see: Clop Attacks Against Oracle E-Business Suite Trace to July). Vulnerability exploits will only escalate, especially given that Anthropic's powerful Claude Mythos artificial intelligence model for vulnerability identification "is not unique," Hamilton said. "AI changes the math because it eliminates the manual labor of scanning, identifying device makes and models, and guessing passwords. It turns what used to be a tedious, one-by-one targeting process into an automated, mass-scale dragnet," Sorrels said.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗