What Healthcare Organizations Need to Know-June 2025

Every month, Clearwater’s Monthly Cyber Briefing delivers the latest threat intelligence, regulatory updates, and expert insights to help healthcare organizations stay ahead. This digest highlights the key takeaways from our latest briefing—covering major breaches, rising ransomware threats, and the security challenges shaping the industry.

📅 Looking ahead? Our next live Cyber Briefing is July 10 at 12 PM CT. We’ll break down how healthcare organizations are advancing Enterprise Cyber Risk Management—benchmarking maturity, identifying top risks, and aligning security to business priorities. Featuring: David Bailey, VP of Consulting Services & Jon Stone, SVP & Chief Product Officer.

Register now---https://clearwatersecurity.com/monthly-cyber-briefing/

1️⃣ OCR Breach Portal: Notable Breaches and Transparency Concerns

May saw 78 new breach reports submitted to OCR, bringing the total to 295 breaches and 22.5 million records compromised so far in 2025. While many were smaller in volume, several notable breaches raised serious concerns around vendor oversight, notification timelines, and cloud data exposure.

• Onsite Mammography suffered a 357K record breach and now faces 7 class action lawsuits.

• Union Health reported a breach tied to the earlier Oracle Health/Cerner incident—adding to ongoing scrutiny over vendor transparency and delayed breach notifications.

• Ascension disclosed that 437K records were improperly retained and later breached via a third-party app—highlighting multiple points of failure in vendor management.

• Serviceaide, a contractor to Catholic Health, exposed 483K records via an unsecured cloud database, triggering lawsuits after a 7-month delay in notification.

These incidents reflect a broader pattern: many of the most impactful breaches stem from third-party failures, cloud misconfigurations, and insufficient diligence around sensitive healthcare data.

🔍 See below for breach stats and key incidents reported last month.

2️⃣ Global Ransomware Activity: 2025 Still Trending Above 2024

Ransomware attacks have surged in 2025, with cumulative victim counts continuing to outpace both 2023 and 2024 levels—even as activity began to level out in May. While not accelerating at the same pace as earlier this year, the overall volume remains historically high, with the U.S. accounting for the majority of victims.

A notable development: Qilin ransomware has rapidly climbed the ranks to become one of the top 3 ransomware-as-a-service (RaaS) groups this year. Following the disbandment of RansomHub, many of its affiliates are believed to have migrated to Qilin—helping fuel the group’s rise and expanding its reach across critical sectors, including healthcare.

🔍 See below for a breakdown of victim trends and top ransomware groups so far in 2025.

3️⃣ Healthcare Ransomware Surge: 22 New Attacks Identified in May

Between April 28 and May 30, Clearwater identified 22 new ransomware attacks targeting U.S. healthcare organizations, primarily impacting: specialty provider groups, ASCs, physician practices, behavioral health, and assisted living facilities.

• Qilin led the pack, with confirmed attacks on Clinpath Labs, The Holiday (SNF), New Season (rehab), Dermatologists of Birmingham, and LaTouche Pediatrics.

• IncRansom continues to be a persistent threat, still ranking in the top 3 despite falling from the top spot.

• SafePay, previously quiet, returned aggressively and is now tied with IncRansom as a top 3 threat actor in healthcare.

The continued rise in attacks—and the range of organizations affected—highlights just how aggressively ransomware operators are targeting healthcare.

🔍 See below for a breakdown of active groups and attack volumes this past month.

4️⃣ Kettering Health Ransomware Attack: Major Disruptions and Secondary Scams

On May 20, Kettering Health—a major Ohio-based system with 14 medical centers—was hit by a ransomware attack from Interlock, causing widespread disruption to care delivery and communications. Elective surgeries and cancer treatments were canceled, ambulances were diverted, and thousands of patients were left without access to basic services like prescription refills or provider communication.

Adding to the chaos, a secondary wave of social engineering followed. Scammers began calling patients pretending to be from Kettering, requesting credit card payments for rescheduled services—a tactic exploiting the very real confusion and stress of the attack.

On June 4, Interlock claimed responsibility by leaking over 700K records and 941GB of data. This is the same group previously behind the DaVita and Texas Tech University Health Sciences Center breaches—well known for using drive-by downloads and, more recently, a persistent malware variant called NodeSnake.

Interlock calls itself a “relentless collective” bent on exposing weak security and “enforcing accountability”-but the impact on patients is severe, and their tactics are escalating.

🔗Replay of February Cyber Briefing

🔗Kettering Health Ransomware Video News Report

🔍 See below for a breakdown of what happened and how Interlock’s methods are evolving.

5️⃣ SafePay: An Aggressive, Independent Threat Actor Gains Momentum

SafePay is quickly emerging as one of the most dangerous ransomware groups targeting healthcare. First observed in October 2024, the group has now been linked to over 200 attacks, primarily hitting organizations in the U.S. and Germany. In May, it became one of the most active ransomware groups globally, surpassing even Qilin in reported attacks.

Unlike many groups, SafePay claims it does not operate a ransomware-as-a-service model. Instead, it executes attacks directly using a custom-developed payload, and leverages:

• Misconfigured firewalls and exposed credentials for initial access

• Password spraying and lateral movement to gain control

• RDP exploitation and Windows Defender bypass

• Privilege escalation and targeted data exfiltration

• Backup destruction to block recovery

• Phone-based coercion—calling victims directly to pressure payment

SafePay’s hands-on, persistent approach and willingness to escalate through direct threats mark a shift in attacker behavior and one that warrants urgent attention.

🔍 See below for what makes this group so dangerous, and how they’re successfully bypassing traditional defenses.

6️⃣ Threat Actor Alert: Scattered Spider Evolves with AI-Powered Social Engineering

Scattered Spider is back in the headlines after crippling the UK retailer Marks & Spencer in April—a cyberattack still impacting operations weeks later. Believed to be a young, English-speaking group (ages 19–22), Scattered Spider isn’t a ransomware group itself, but has partnered with actors like DragonForce and has deployed ransomware in past campaigns.

Their specialty? Identity-based tactics, including:

• Help desk scams to reset credentials and bypass MFA

• SIM swapping, MFA fatigue attacks, and deepfake-enabled voice phishing

• Targeting admins and privileged users using detailed AI-generated research

• Cloud account takeover and data theft at scale

Their methods are highly personalized and culturally convincing, making them especially effective in English-speaking markets. The MGM and Caesars breaches in 2022 were early signs of their capabilities—now, they’re refining their approach with layered impersonation tactics and AI-driven reconnaissance.

🔗 Read the HC3 Threat Actor Profile on Scattered Spider (PDF)

🔍 See below for their latest targets and why MFA alone is no longer enough to stop them.

7️⃣ HHS OCR Update: New Director and Two Enforcement Actions

Paula M. Stannard has been appointed as the new Director of the HHS Office for Civil Rights. Stannard previously served in legal affairs roles under the Trump and George W. Bush administrations and steps into leadership at a time of continued HIPAA enforcement activity.

Since the last Cyber Briefing (May 1st), OCR has announced two new enforcement actions:

• BayCare Health System (May 28): $75,000 settlement and 2-year corrective action plan following a malicious insider incident involving inappropriate access by a former non-clinical employee. The investigation began after a patient was contacted by someone with video and photo evidence of their medical records.

• Comstar (May 30): $800,000 settlement and corrective action plan after a ransomware attack affected over 585,000 individuals. OCR cited Comstar’s failure to conduct an accurate and thorough risk analysis—marking the 13th enforcement tied to ransomware and the 9th under OCR’s Risk Analysis Initiative.

OCR continues to focus on risk analysis, risk management plans, and system activity reviews as key areas of enforcement.

🔗Link to OCR’s Final Guidance on Risk Analysis

🔗Link to Differences Between HIPAA Security Evaluations and Risk Analysis - Clearwater

🔗HHS Announces Paula M. Stannard as Director of the Office for Civil Rights | HHS.gov

🔍 See below for a summary of recent settlements and enforcement trends.

8️⃣ Class Action Lawsuits Increasing: A Growing Financial Risk in Healthcare

Data breach-related class action litigation is accelerating sharply, with 1,488 filings in 2024—more than double the 604 cases filed just two years prior in 2022. That’s a 1,265% increase over six years, and the trend shows no signs of slowing.

Plaintiffs are getting more sophisticated, courts are increasingly open to novel theories of harm, and settlements are often reached even without evidence of misuse—driving up costs and reputational risk.

Some notable recent settlements in healthcare:

• Medstar – up to $3,000 per individual (184K individuals) (Dec. 2023)

• Lee High Valley Network – $65M (114K individuals) (Nov 2024)

• Tampa General Hospital – $6.8M (2.1M individuals) (Jan 2025)

• Professional Finance Company – $2.5M (1.9M individuals) (Jan 2025)

• Solara Medical Supplies – $3M (114K individuals) (Jan. 2025)

• St. Louis University and SSM Health Saint Louis University Hospital – $2M (93K individuals) (April 2025)

• Rite Aid – $6.8M (2.2M individuals) (Mar. 2025)

• Practices Resources – $1.5M (942K individuals) (May 2025)

These lawsuits add to the long list of breach consequences, alongside recovery costs, regulatory action, reputational harm, and more. On average, it takes 46 days for stock prices to recover following a breach.

Healthcare now ranks alongside financial services as one of the most targeted industries for privacy-related class actions, with average settlements ranging from $3M to $21M.

🔍 See below for trends, case examples, and why this is now one of the top breach-related costs to watch.

9️⃣ Final Recommendations: Staying Ahead of an Escalating Threat Landscape

This month’s Cyber Briefing reinforced a clear theme: attackers are exploiting misconfigurations, manipulating users, and moving quietly within networks. As these tactics evolve, so must our defenses. Steve Cagle concluded the session with actionable recommendations to help organizations stay ahead:

• Continuously test your security posture. Particularly firewall, RDP, and cloud configurations. Don’t assume one-time hardening is enough.

• Monitor for activity tied to remote access tools (RDP, RMM, PowerShell) and EDR evasion. Especially tools used in Living off the Land attacks.

• Educate your workforce on current social engineering tactics, including those powered by AI. Training must be current, ongoing, and actionable.

• Require multi-person approval or in-person validation for account resets. Especially for users with elevated privileges.

• Tighten access control policies, review dormant accounts, and ensure vendor offboarding is thorough and auditable.

• Deploy log and activity monitoring tools, and regularly review system activity—especially EHR access logs.

• Implement recognized security practices (like NIST CSF or 405(d) HICP) and validate them through third-party assessments.

• Conduct OCR-quality risk analysis—aligned to the 9 elements of OCR guidance and covering all systems with ePHI.

Risk analysis remains the single most important action you can take. It’s not only a regulatory requirement—it’s your best line of defense.

🔍 See below for the full list of recommendations tailored to this month’s threats and enforcement trends.

The cybersecurity landscape is shifting fast and attackers are adapting just as quickly.

This month’s briefing revealed how misconfigured cloud environments, dormant accounts, and evolving social engineering tactics are opening new doors for threat actors. Meanwhile, class action lawsuits and OCR enforcement are raising the stakes.

🔹 Key takeaway? The risk isn’t just technical—it’s operational, financial, and legal. Organizations that prioritize continuous risk analysis, improve detection of stealthy intrusions, and harden identity access controls will be best positioned to respond.

If your team is facing these challenges, staying informed is the first step. Taking action is the next.

📩 Have questions? Contact us: https://clearwatersecurity.com/contact/