By: Josh Bartolomie, Chief Security Officer, Cofense

Introduction: A Paradigm Shift in Threat Actor Behavior

I have always told myself that I never want to become a stereotypical "stuck in time" security graybeard, the infosec equivalent of "back in my day, we walked to school uphill, both ways, in the snow!" My fear is not of being nostalgic, but that I would become unknowingly rigid in my viewpoints and fail to adapt to the ever-changing threat landscape. After closing out the whirlwind of the last few years, I decided to reflect on the trends and patterns I have observed in my 25+ years within the cybersecurity realm. What I found was deeply unsettling.

For as long as I can remember, threat actors appeared to hold themselves to an overall creed, an "honor among thieves" type of ethos. In real-world combat, those involved generally abide by medical neutrality and do not target hospitals or medical personnel in ways that would impact their ability to save lives. In the cyber realm, while healthcare has always been a target, historically when threat actors went after hospitals, clinics, and insurers, it was primarily for information collection rather than actions that could cause immediate operational impact and threaten patient lives.

That implicit demarcation line has shattered. The evidence is now overwhelming: threat actors have abandoned medical neutrality and are targeting not just hospitals but the entire healthcare ecosystem, from small physician practices to the insurance carriers and claims processors that enable care delivery. In 2024, healthcare cyberattacks affected more than 276 million individuals, more than double the prior year.^[1] More alarmingly, 28% of healthcare organizations now report increased patient mortality rates following cyberattacks, a staggering 21% increase over 2023.^[2]

Phishing: The Gateway to Catastrophe

At the heart of nearly every major healthcare breach lies a deceptively simple attack vector: phishing. Whether the ultimate payload is ransomware, credential theft, or data exfiltration, the initial foothold almost always begins with a carefully crafted email designed to trick a human being into making a mistake. The numbers are staggering: in 2024, 88% of healthcare workers opened phishing emails, and more than 90% of all cyberattacks against healthcare industries are phishing scams.^[3]

Healthcare remains uniquely vulnerable for several reasons. Medical records fetch up to 50 times more than financial information on the black market. The time-sensitive nature of healthcare operations pressures staff into making quick decisions. Complex vendor ecosystems provide countless impersonation opportunities. And IT security has been historically underfunded. The American Hospital Association's 2025 Cybersecurity Year in Review revealed a critical insight: over 80% of stolen protected health information records were not stolen from hospitals; they were stolen from third-party vendors, software services, and business associates.^[4]

The financial toll reflects this impact. IBM's 2024 Cost of a Data Breach Report found that phishing-related breaches cost an average of $9.77 million per incident in healthcare, making it the most financially impacted industry for the 14th consecutive year.^[5]

The AI Arms Race

The phishing landscape has transformed dramatically with artificial intelligence. Security experts have documented a 1,265% surge in malicious phishing emails since Q4 2022, coinciding with the public release of advanced language models.^[6] No longer are threat actors sending clumsy emails with multiple typos in the first sentence. Now they are using AI to craft hyper-personalized messages that reference real projects, mimic executive communication styles, and exploit trust relationships with perfect grammar and contextual awareness. The KnowBe4 2025 Phishing Threat Trends Report found that 82.6% of phishing emails now contain AI-generated content.^[7]

Consider this: IBM security researchers found that AI needs only 5 prompts and 5 minutes to build a phishing attack as effective as one that would take human experts 16 hours.^[8] What took people many hours can now be done in seconds.

Perhaps most alarmingly, voice cloning technology can now replicate executive voices using as little as 3 seconds of audio from earnings calls, podcasts, or conference presentations. In early 2024, a multinational firm lost $25 million when a finance worker attended what appeared to be a legitimate video conference with the company's CFO and senior leadership, every face on screen was an AI-generated deepfake.^[9] Healthcare organizations face the same exposure: executive voices from conference presentations and webinars provide ample training data for attackers.

When the Ecosystem Fails: Change Healthcare

The consequences of successful phishing attacks have evolved dramatically. What once resulted primarily in data theft has expanded over the years to include ransomware deployment, operational disruption, and extortion. Today, attackers understand that healthcare organizations face unique pressures: an inability to simply "shut down" while systems are being restored, multiple regulatory obligations, and most critically, the knowledge that delays in healthcare can, and have, cost lives. These pressures make healthcare organizations more likely to pay ransoms and more vulnerable to rushed decision-making.

The February 2024 attack on Change Healthcare became the most significant cyberattack on the U.S. healthcare system in history, according to the American Hospital Association. Perpetrated by the Russian-speaking ransomware group BlackCat/ALPHV, the breach affected 190 million individuals, approximately 3 in 4 Americans.^[10] As the predominant processor of healthcare transactions that handles over 15 billion transactions annually and on average interacts with 1 in 3 patient records, Change Healthcare's incapacitation had immediate and devastating effects nationwide.

The disruption extended far beyond billing. Oncology practices reported they could not obtain prior authorization for cancer treatments, which forced them to either administer chemotherapy "flying blind" with no guarantee of payment, or delay potentially life-saving treatment. "If patients can't get their treatment, not just cancer patients, any patients can't take vital drugs... absolutely, positively, I'm sure it's already put some people at risk," stated the Community Oncology Alliance.^[11] An AHA survey found 94% of hospitals experienced financial impact, while the American Medical Association reported 80% of practices experienced revenue impact. UnitedHealth Group paid a $22 million ransom, one of the largest payouts in history.^[12]

Just three months later, Ascension Health, one of the largest non-profit healthcare systems with 140 hospitals across 19 states, was compromised by a single phishing email. One employee inadvertently downloaded a malicious file, and the Black Basta ransomware group was in. Hospitals diverted ambulances, delayed surgeries, and reverted to manual documentation for over a month.^[13] A neonatal ICU nurse reported: "Medications are taking longer to get to patients, lab results are taking longer to get back... if there's a delay in access to the labs, there's a delay in access to the care that they order."^[14] The attack compromised 5.6 million patient records and contributed to a $1.8 billion operating loss.^[15]

When Cyberattacks Kill

The erosion of medical neutrality is not theoretical or hyperbole; it has resulted in documented patient deaths. The 2024 Ponemon Institute study found that 28% of organizations reported increased patient mortality rates following cyberattacks, with 56% reporting poor patient outcomes due to delays and 53% seeing increased medical procedure complications.^[16]

Academic research now quantifies what practitioners long suspected. Studies from the University of Minnesota School of Public Health found that hospital patients face a 35-41% increased mortality risk during active cyberattacks, with patient volumes dropping 17-26% in the first week as facilities struggle to provide care with compromised systems.

Beyond patient harm, phishing-initiated cyberattacks have driven healthcare organizations out of business entirely. In 2024, 389 U.S. healthcare institutions experienced shutdowns or delays in medical procedures due to cyberattacks.^[17] St. Margaret's Health in Spring Valley, Illinois, became the first U.S. hospital to publicly attribute its permanent closure to a cyberattack. The 2021 attack halted the hospital's ability to submit claims for months. "We were down a minimum of 14 weeks. Nothing went out. No claims. Nothing got entered," recalled a hospital executive.^[18] The closure left residents traveling approximately 30 minutes for emergency and obstetrics services.

History Repeats, But the Stakes Keep Rising

I subscribe to the adage that history repeats itself, and this concept absolutely applies to cybersecurity. Technology, players, and mechanisms may have changed, but under all the glitz and glamor, it is the same themes replaying over and over again. The difference is the scale of potential devastation that continues to grow.

The Anthem breach in 2015 started with a phishing email and compromised 78.8 million records, the largest healthcare breach in U.S. history at that time. A decade later, the Change Healthcare attack started with compromised credentials and affected 190 million individuals, shattering that record and impacting 3 in 4 Americans. Despite a decade of lessons learned, industry conferences, regulatory guidance, and countless breach notifications, the threat has grown 2.4 times larger in just 10 years.^[19]

A significant observation that I have had is that the ransom economics have shifted just as dramatically. The average ransom payment nearly doubled from approximately $812,000 in 2022 to over $1.5 million in 2023.^[20] Some ransomware groups have begun directly contacting patients, threatening to release intimate images from plastic surgery centers unless patients pay $50 each to have their data deleted.^[21]

The threat has risen to such prominence that in November 2024, the World Health Organization (WHO) Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council on healthcare cyberattacks, declaring: "Let's be clear, ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death."^[22]

The Imperative for Action

I would wager that we will continue to see a stark increase in cyberattacks that have immediate repercussions and put patient health and lives at risk. While there will always be threat actors guided by their own moral compass, what I like to call a "Robin Hood Complex", history tells us they will become the few versus the majority. The emergence of cybercrime-as-a-service platforms, the professionalization of criminal operations, and the use of artificial intelligence have lowered the barriers to entry while exponentially increasing attack sophistication.

The statistics are unambiguous: phishing remains the primary attack vector for healthcare breaches. Every employee who clicks on a malicious link can potentially trigger a cascade that endangers patient lives. Yet only 14% of healthcare organizations report fully staffed IT security teams, and 41% believe their organizations allocate insufficient financial resources for effective cybersecurity.^[23] We cannot continue to spend pennies on defense while facing adversaries willing to hold patient lives hostage for millions.

Conclusion: The End of an Implicit Agreement

The reduction in the sanctity of life and abandonment of historic red lines employed by most threat actors until recent years is deeply disconcerting. The evidence is now incontrovertible: profit by any means has become commonplace among cyber criminals. The implicit agreement that healthcare infrastructure would be treated differently, that even criminals would observe some form of medical neutrality, has collapsed entirely.

When a single phishing email at an insurance claims processor can delay cancer treatments for millions of patients, when a two-doctor practice in Michigan can lose everything overnight, when a rural hospital can be driven to permanent closure, we have entered a new and more dangerous era of cybercrime. The attackers no longer distinguish between hospitals, clinics, insurers, or any other healthcare entity. They see only targets and paydays.

We have the skill, technology, and knowledge around what needs to be done to protect ourselves. But it is up to us to ensure we take an honest look at necessary preventive requirements and invest appropriately, as if our lives depend on it. Because as this trend continues, they just might.

References

^[1] Definitive Healthcare/HHS Breach Portal, 2025. 276+ million individuals affected by healthcare cyberattacks in 2024.

^[2] Ponemon Institute/Proofpoint, "2024 Study on Cyber Insecurity in Healthcare," October 2024.

^[3] Varonis, "38 Must-Know Healthcare Cybersecurity Stats," April 2025.

^[4] American Hospital Association, "2025 Cybersecurity Year in Review, Part One," October 2025.

^[5] IBM, "Cost of a Data Breach Report 2024." Healthcare sector highest cost for 14th consecutive year.

^[6] SlashNext, "State of Phishing Report 2023," October 2023.

^[7] KnowBe4, "2025 Phishing Threat Trends Report," February 2025.

^[8] IBM X-Force, "AI vs. Human Deceit: Unravelling the New Age of Phishing Tactics," 2023.

^[9] Multiple sources including CNN and Arup engineering firm disclosure, February 2024.

^[10] HHS Office for Civil Rights; American Hospital Association, Change Healthcare breach reporting, 2024.

^[11] Community Oncology Alliance/Chief Healthcare Executive, March 2024.

^[12] AHA and AMA surveys, March-April 2024; GovInfoSecurity on $22M ransom payment.

^[13] Healthcare IT News/BlackFog, "Ascension Ransomware Attack," 2024-2025.

^[14] NPR, "How the Ascension cyberattack is disrupting care at hospitals," May 23, 2024.

^[15] HIPAA Journal, "Ascension Ransomware Attack Affects 5.6 Million Patients," December 2024.

^[16] Ponemon Institute, "2024 Study on Cyber Insecurity in Healthcare."

^[17] Microsoft/Dialog Health, "120+ Latest Healthcare Cybersecurity Statistics for 2025," 2024.

^[18] NBC News, "An Illinois hospital links closure to ransomware attack," June 2023.

^[19] HHS Office for Civil Rights, Anthem breach (2015: 78.8M) vs Change Healthcare (2024: 190M) comparison.

^[20] Sophos, "State of Ransomware 2023," May 2023.

^[21] Emsisoft reporting on aggressive ransomware tactics, including direct patient extortion.

^[22] UN Security Council Meeting, November 2024. WHO Director-General testimony.

^[23] Varonis, "38 Must-Know Healthcare Cybersecurity Stats