July 14 – 20, 2025 Weekly Recap

1. Largest new breach disclosure: 

Episource (Optum) – 5.4 million people

On 14 July, Tom’s Guide broke the story that medical-billing provider Episource, recently acquired by UnitedHealth’s Optum, began formal notices to ~5.4 million patients after investigators confirmed attackers siphoned names, SSNs, DoBs, contact details and insurance/clinical data during a 10-day intrusion (27 Jan – 6 Feb). The breach, second only to Yale New Haven Health in 2025 victim count, emphasizes that business associates remain a soft underbelly for PHI. 

2. Mid-year trend data show ransomware still ascendant

BlackFog published its Q2 State of Ransomware report on 16 July: publicly disclosed incidents jumped 63 % YoY (276 vs 169) with healthcare the most-targeted vertical (52 attacks). Data-exfiltration accompanied 95 % of cases, underscoring that extortion now matters as much as system lock-out. 

Complementing that, Becker’s Hospital Review highlighted an Identity Theft Resource Center update: 283 healthcare breaches were reported to U.S. regulators in H1 2025—up 20 % from 2024—affecting 16.6 million individuals. Nearly 70 % of notices still omit the root cause, frustrating defenders’ ability to learn from peers. 

3. State-level threat posture rises after Middle-East tensions

On 17 July, the New York State Department of Health issued an urgent advisory (Notification 114377) warning that Iranian-aligned actors could retaliate against U.S. critical-infrastructure following regional strikes. Hospitals, long-term-care facilities and dialysis centres were told to assume an “elevated risk posture,” rehearse OT/IT isolation, and verify backups; the DOH Surge Operations Center was put on 24 × 7 alert. 

4. Medical-device risk surfaces: Panoramic Digital Imaging Software (ICSMA-25-198-01)

Also on 17 July, CISA released an ICS Medical Advisory for Panoramic Corporation’s dental-imaging software (v 9.1.2.7600). A DLL-hijacking flaw (CVE-2024-22774, CVSS 8.5) lets a standard Windows user escalate to NT Authority\SYSTEM—risking audit-log erasure or radiology-workflow sabotage. No patch is available because the vulnerability resides in an end-of-life SDK; CISA urges strict network segmentation and vendor coordination. 

5. One-year-on analysis of the CrowdStrike outage

University of California-San Diego researchers published a JAMA Network Open study (19 July) quantifying last July’s faulty CrowdStrike Falcon update. At least 759 of 2,232 U.S. hospitals (34 %) experienced measurable digital-service disruption; 22 % of impacts involved direct patient-care systems (EHR, fetal monitoring, imaging). The authors call for diversified endpoint agents, real-time availability telemetry and “contingency SLAs” in EDR contracts. 

6. Smaller-scale incidents and signals

• 18 July – Susan B. Allen Memorial Hospital (Kansas) confirmed investigation of a suspected ransomware attack after a weekend-long outage; the Everest group later listed the hospital on its leak site (victim count pending). 
• 17 July – ICSMA-25-198 (above) followed a similar high-severity imaging-software advisory for Panoramic; on 18 July CISA teased additional IoMT advisories scheduled for the week ahead, suggesting a cadence of weekly disclosures aimed at healthcare OEMs. 
• Throughout the week, ransomware blogs added at least seven U.S. healthcare organizations—including two rural hospitals and an orthopedic practice—indicating attackers’ continued focus on entities with limited incident-response capacity.