Common Reasons Behind Data Breaches in Small‑to‑Medium Healthcare Organizations

Healthcare
September 7, 2025

In recent years healthcare has become the most expensive industry for a data breach, with U.S. breaches averaging US$10.22 million. Regulators punish non‑compliance, and the long breach lifecycle in healthcare (279 days on average) drives costs even higher .In 2024, more than 275 million healthcare records were compromised in the U.S., largely due to a handful of “mega‑breaches” like the Change Healthcare ransomware incident . Attackers exploit basic weaknesses—phishing, unpatched systems, weak credentials and poorly secured vendors—rather than exotic zero‑day vulnerabilities.

1 The Data Breach Landscape for Healthcare SMBs

High Costs and High Stakes
  • Costliest industry: For the 14th consecutive year, healthcare has the highest breach costs. IBM’s 2025 report notes that U.S. data breaches cost US$10.22 million, up 9.2 % from 2024. The average healthcare breach worldwide costs US$7.42 million. Regulatory fines and detection costs drive U.S. figures
  • Long breach lifecycle: The global average time to identify and contain a breach fell to 241 days, yet healthcare breaches still take 279 days. Longer dwell times allow attackers to move laterally and exfiltrate more data.
  • Massive record exposures: In 2024, 275 million U.S. healthcare records were compromised. The February 2024 Change Healthcare ransomware attack alone exposed approximately 190 million people.
  • Hacking dominates: Hacking and IT incidents account for nearly 80 % of healthcare breaches. System intrusion (malware, ransomware and lateral movement) appears in 53 % of confirmed breaches.
  • Value of PHI: PHI is far more lucrative than credit‑card data. The Center for Internet Security notes that tampering with medical data can lead to “faulty treatment, with fatal and irreversible losses. On the dark web, a complete medical record can sell for hundreds of dollars.
Why SMB Healthcare Providers Are Vulnerable

Small practices and community clinics operate on thin margins and focus on patient care rather than enterprise‑class security. The Healthcare & Public Health Sector Coordinating Council (HSCC) notes that only 14 % of healthcare providers have fully staffed IT security teams. Key challenges include:

  • Limited resources: Many SMBs lack dedicated security staff and rely on third‑party IT contractors. Budgets and cyber expertise are constrained
  • Legacy systems: SMBs often use outdated electronic health record (EHR) servers and medical devices that are hard to patch. Unpatched vulnerabilities fuel about 20 % of healthcare breaches, and only 54 % of vulnerable edge devices are fully remediated.
  • Third‑party risk: Small organizations depend on billing services, cloud providers and specialized vendors. Supply‑chain breaches doubled in a year, growing from 15 % to 30 % of incidents.
  • Human factors: Limited training and awareness mean employees fall for phishing or mishandle data. NordLayer’s 2024 survey found that 88–92 % of healthcare organizations experience cyber‑attacks annually and 69 % of attacks disrupt patient care.

2 Common Reasons Behind Data Breaches

2.1 Phishing and Social Engineering

Phishing remains the most common initial access vector in healthcare. IBM’s 2025 report attributes 16 % of breaches to phishing. Proofpoint’s Ponemon survey found that 92 % of healthcare organizations experienced at least one cyber‑attack in the past year and 69 % reported that attacks disrupted patient care. Attacks include generic phishing emails and targeted spear‑phishing, where criminals impersonate executives or vendors to steal credentials.

Case study – Ascension Health (May 2024): A malicious email attachment allowed ransomware to cripple operations at 142 hospitals and compromise 5.6 million patient records. Staff reverted to paper records for weeks, illustrating how a single phishing incident can trigger operational chaos.

2.2 Ransomware and System Intrusion

Ransomware is among the most debilitating threats. Verizon’s 2025 DBIR shows system intrusion (often involving malware and ransomware) leads all attack patterns at 53 % of breaches. Ransomware was present in 44 % of breaches, and small businesses bear the brunt—88 % of SMB breaches contained a ransomware component.

Case study – Change Healthcare (Feb 2024): Attackers used compromised credentials on a Citrix portal that lacked MFA, infiltrated Change Healthcare and disrupted prescription and claims processing nationwide. The breach exposed about 190 million individuals.

2.3 Stolen or Weak Credentials

Stolen credentials remain a top entry vector. Verizon notes that 22 % of breaches begin with stolen credentials and 20 % stem from exploited vulnerabilities. Many SMB providers do not enforce MFA or strong password policies, making credential theft simple. Privilege abuse is also significant: Rectangle Health observed that healthcare is the industry most impacted by privilege abuse, and 22 % of privilege‑abuse incidents resulted in medical data theft.

2.4 Unpatched Vulnerabilities and Legacy Systems

Attackers increasingly exploit known vulnerabilities. Verizon’s 2025 report notes that only 54 % of vulnerable edge devices are fully patched and the median time to remediate is 32 days. Unpatched edge and VPN flaws have increased eightfold. A Ponemon survey found that 60 % of breach victims were compromised due to known vulnerabilities they failed to patch. Legacy systems without vendor support remain common in small practices.

2.5 Insider Threats and Human Error

Not all breaches originate externally. Employees and contractors with legitimate access may intentionally or accidentally expose PHI. Human error—misdirected emails, lost laptops or failing to log off—causes many breaches. The CIS security centre lists credential‑stealing malware, insider disclosure and lost devices among common causes. Rectangle Health highlights that privilege abuse is prevalent in healthcare, with 22 % of such incidents involving data theft.

2.6 Third‑Party and Partner Breaches

Healthcare providers rely on billing services, EHR vendors and cloud partners. Verizon’s 2025 DBIR reports that third‑party involvement surged to 30 % of breaches, doubling from 15 %. Attackers target vendors because they often have weaker defenses. The Eye Care Leaders breach (2021) compromised more than 2 million patients across small practices and universities. In 2022, Medibank’s breach began with stolen third‑party credentials lacking MFA, exposing 9.7 million records.

2.7 Data Breaches from Hacking and Malware

Direct hacking and malware dominate healthcare breaches. Hacking accounts for nearly 80 % of incidents. Malware—including spyware, info‑stealers and keyloggers—harvests credentials and exfiltrates data. Insider breaches, phishing, third‑party risks and IoT vulnerabilities also play roles.

2.8 Human Factors and Limited Resources

Many breaches trace back to human factors and resource constraints. HSCC notes that only 14 % of healthcare providers have fully staffed IT security teams. NordLayer points out that budget constraints and shortages of skilled professionals hamper security programs. Rapid adoption of telemedicine and AI tools has expanded the attack surface, yet most small practices lack continuous training and vendor oversight.

3 Impact of Breaches on SMB Healthcare Organizations

3.1 Financial Losses

Breaches inflict severe financial harm. IBM’s 2025 report shows U.S. breach costs at US$10.22 million, while the global average dropped to US$4.44 million. Healthcare breaches remain the most expensive, averaging US$7.42 million. Detection and escalation costs, lost business and regulatory penalties are major cost drivers.

3.2 Operational Disruption

Ransomware can shut down billing and treatment systems, forcing staff to revert to paper charts. Proofpoint’s survey found that 69 % of healthcare cyber‑attacks disrupted patient care, and 56 % of respondents saw poorer patient outcomes due to delays. Breach recovery is slow: most organizations take more than 100 days to recover, and 279 days on average for healthcare.

3.3 Patient Harm

Delays in care caused by ransomware can be deadly. Researchers from the University of Minnesota estimate that during ransomware attacks, in‑hospital mortality for Medicare patients increases from 3 % to 4 %, translating to 42–67 additional deaths between 2016 and 2021. The impact likely extends to patients with other insurance coverage. Additionally, tampering with medical records can lead to faulty treatment and irreversible losses.

3.4 Reputational Damage and Legal Exposure

Data breaches erode trust, drive patient churn and invite class‑action lawsuits. High‑profile incidents like Change Healthcare and Ascension Health triggered regulatory investigations and legal action. Organizations must notify affected patients, provide credit monitoring and face intense media scrutiny—costly both financially and reputationally.

4 Mitigation Strategies for SMB Healthcare Organizations

4.1 Strengthen Email and Phishing Defenses

  • Deploy secure email gateways with malware scanning and phishing detection. Use DMARC, SPF and DKIM to authenticate email domains.
  • Enforce multi‑factor authentication on all email and remote‑access systems. The Change Healthcare and Medibank breaches demonstrate the danger of relying on passwords alone.
  • Conduct regular phishing simulations and ongoing staff training. Proofpoint notes that 71 % of healthcare organizations are using security awareness training; SMBs should emulate this.

4.2 Patch Management and Asset Hardening

  • Inventory all devices and software, prioritizing patches for internet‑facing systems (VPNs, firewalls, routers). Unpatched vulnerabilities fuel 20 % of breaches.
  • Replace or segment legacy systems. If upgrades are not feasible, isolate vulnerable devices and restrict access.
  • Monitor vulnerability advisories and participate in sector‑specific information sharing groups to receive timely alerts.

4.3 Strong Identity and Access Controls

  • Implement role‑based access control (RBAC) and least privilege. Grant staff only the access needed for their roles.
  • Enforce MFA on all remote and privileged accounts. Use long, unique passwords and discourage reuse.
  • Monitor and audit user activity to detect privilege abuse and insider threats.

4.4 Vendor and Supply‑Chain Security

  • Perform thorough due diligence on vendors, assessing security policies, breach history and compliance certifications.
  • Include security requirements in contracts—encryption, patch timelines, MFA and incident notification clauses.
  • Segment third‑party connections and limit vendor access to necessary systems and data. Supply‑chain breaches have doubled to 30 % of incidents.

4.5 Data Protection and Encryption

  • Encrypt PHI at rest and in transit. Encryption reduces the impact of stolen devices or intercepted communications.
  • Back up data regularly and test restoration procedures. Maintain offline backups to mitigate ransomware.
  • Classify data (public, internal, confidential, restricted) and apply appropriate controls.

4.6 Incident Response and Resilience

  • Develop an incident response plan tailored to small organizations. Define roles, communication protocols and escalation paths.
  • Join information sharing communities (ISAOs/ISACs) for healthcare. Rectangle Health recommends participating in sector‑specific groups to receive timely threat intelligence.
  • Conduct tabletop exercises and drills to practice incident response and identify gaps.

4.7 Cultivate a Culture of Cyber Hygiene

  • Promote accountability from leadership down. Executives must prioritize cyber risk management and allocate resources accordingly.
  • Emphasize basic cyber hygiene—logging off computers, using strong passwords, locking devices—as cost‑effective yet powerful defenses.
  • Provide continuous training. With 69 % of attacks disrupting patient care, human behavior remains the weakest link.

Cybersecurity Leadership for Your Business

Get started with a free security assessment today.