July 28 – August 3, 2025 Weekly Brief

1. A new zero-day sets the tone for the week

The biggest story was Microsoft’s disclosure that two chained vulnerabilities in on-prem SharePoint are being mass-exploited. By mid-week more than 400 servers were already compromised, with Microsoft warning that a newly-minted Warlock ransomware crew is laying the groundwork for double-extortion attacks. Sector analysts told Axios that unpatched healthcare systems are squarely in the blast radius because many rural and mid-size hospitals still self-host SharePoint for care-team collaboration and file transfer. Incident-response firms are urging immediate patching and certificate rotation, noting that attackers are also stealing machine keys that would let them re-enter even after a patch. 

2. Threat-intel mirrors the hands-on activity

Friday’s TLP-Green daily digest from Health-ISAC echoed what defenders are seeing: North-Korean APTs abusing CI/CD pipelines, quadruple-extortion ransomware becoming “normal,” and the first “LAMEHUG” AI-assembled malware discovered in wild phishing campaigns. The briefing specifically calls out small clinics that still run vulnerable Lenovo desktop BIOS versions and WordPress-based patient-portal microsites, both of which are being probed in the same campaigns. 

3. Wave of breach disclosures hits just before month-end

The week opened with a cluster of breach notices dated July 28–29. Wood River Health in Rhode Island confirmed that a single compromised email account exposed multiple classes of PHI and even digital signatures, triggering state-level investigations.    In Florida, Mid Florida Primary Care disclosed that an attacker loitered in its network for almost two weeks late last year; the clinic is now notifying patients and offering credit monitoring.    Northwest Denture Center, Equilibria Mental Health and Forward’s National Databank for Rheumatic Diseases also reported incidents, underscoring how business-associate and specialty-practice breaches continue to dominate the OCR ledger. Collectively, July ended with 70 large breaches—11 above the 12-month average.

4. Patients finally see restitution in a marquee 2023 breach

On July 28, a federal judge granted preliminary approval of the HCA Healthcare class-action settlement. Current and former patients affected by the 2023 cyber-attack can claim up to $5,000 in out-of-pocket losses and one year of credit-monitoring; exclusion and objection deadlines fall on Aug 25, with final approval set for Oct 27. While rooted in a two-year-old incident, the filing kept breach-litigation risk on the radar for every legal and compliance team this week. 

5. Enforcement actions remind vendors and providers that “cyber” is a regulatory issue, not just a risk issue

The Department of Justice and HHS-OIG announced a $9.8 million False-Claims-Act settlement with Illumina for selling genomic sequencers to federal agencies despite known cybersecurity vulnerabilities. Prosecutors called it the first cyber-quality FCA case in medical-device manufacturing—signaling that insecure tech can now be framed as delivering “non-conforming goods” to the government.    Meanwhile, OCR publicly finalized a $250,000 HIPAA settlement and two-year corrective-action plan with Syracuse ASC for a PYSA ransomware incident—and, crucially, for waiting more than 60 days to notify patients. The agency made clear that delayed notification will now draw the same financial penalties as inadequate technical safeguards. 

6. Economics of a breach: IBM’s 2025 Cost of a Data Breach report lands

Released July 30, the newest edition pegs the average global breach at $4.44 million—down nine percent year-over-year—but the healthcare mean remains over $10 million, higher than any other vertical for the 14th straight year. IBM attributes the decline in overall costs to faster containment driven by generative-AI-powered detection, yet warns that “shadow-AI” usage inside hospitals is creating new blind spots. Thirteen percent of surveyed organizations admitted breaches of AI models themselves, and 97 percent lacked robust access controls for those models. 

7. Supply-chain ripple effects keep CISOs awake

Although not a healthcare entity, the SafePay ransomware attack on global distributor Ingram Micro (3.5 TB exfiltrated) reverberated all week because Ingram supplies imaging gear, telehealth carts and SaaS subscriptions to more than 2,000 U.S. hospitals. The gang set an August 5 deadline to publish data, prompting provider legal teams to review indemnification language in their VAR contracts. 

8. SonicWall 0-day adds another fire to fight

Threat-hunters at Arctic Wolf reported a spike in Akira ransomware intrusions exploiting a still-unpatched SonicWall firewall 0-day, with several community hospitals seen pivoting from edge devices into VMware vSphere hosts. Although most exploits surfaced after July 31, IOCs suggest scanning began earlier in the week, underscoring how quickly criminal crews weaponize fresh research.  

9. What this means for the week ahead

Patch hygiene and third-party risk management were the through-lines: zero-days in core collaboration tools, legacy firewalls, BIOS firmware and even medical sequencers all came to the fore. Regulators are signaling intolerance for delayed breach notification, and civil plaintiffs are showing they can extract sizable settlements two years post-incident. The IBM numbers reinforce why: with healthcare breach costs more than double the cross-industry average, every unpatched server or firewall can become an eight-figure line item. For security and compliance leads, the actionable take-aways are clear—accelerate patch cycles (especially SharePoint and SonicWall), audit AI and CI/CD access, tighten supplier contracts, and rehearse 24-hour breach-notification playbooks now, before enforcement and litigation do it for you.