September 13–19, 2025 Week in Review

September 13–19, 2025 Week in Review

The third week of September brought a mix of enforcement, litigation, and high-impact phishing news for healthcare defenders, alongside several sizable breach notifications. Here are the developments security leaders should know—and how to act on them.

Microsoft and partners disrupt major PhaaS hitting healthcare

Microsoft’s Digital Crimes Unit, with Cloudflare and Health-ISAC as co-plaintiffs, seized 338 domains tied to the RaccoonO365 (aka Storm-2246) phishing-as-a-service operation. Microsoft says the service helped steal 5,000+ Microsoft 365 credentials across 94 countries since July 2024 and explicitly named U.S. healthcare orgs among the victims. A Southern District of New York order authorized the takedown; investigators also identified a suspected operator in Nigeria. For defenders, this both reduces near-term noise and signals a law-enforcement focus on PhaaS ecosystems that bypass MFA via session cookie theft.

In parallel, Okta Threat Intelligence detailed VoidProxy, a newer PhaaS framework targeting Microsoft 365 and Google accounts with adversary-in-the-middle (AiTM) techniques to intercept MFA and session tokens—tools we’re already seeing used for BEC and downstream data exfiltration. Expect copycats to fill the vacuum left by the RaccoonO365 takedown.

Significant breach notifications & litigation

  • Goshen Medical Center (NC) started notifying 456,385 people after confirming in September that files accessed in February 2025 contained identifiers including SSNs and driver’s license numbers. Survival Flight, an EMS provider, also confirmed patient data exposure from a July attack that the Worldleaks group claimed. 
  • New York Blood Center Enterprises (NYBCe) disclosed that an unauthorized party accessed its network Jan 20–26, 2025 and exfiltrated copies of files. Public notices and AG filings indicate ~193,822–194,000 people were notified; exposed data can include SSNs, state ID numbers, limited medical information, and bank details for direct-deposit participants. 
  • Retina Group of Florida reported that ~153,000 patients were potentially affected by a November 2024 intrusion disclosed this week. 
  • Jefferson Healthcare (WA) agreed to settle a Meta Pixel tracker class action, including a commitment not to use Meta Pixel on its website for at least two years absent explicit disclosure and compliance determinations. 
  • Columbia University Health Care (NY) obtained preliminary approval for a $600,000 settlement tied to a 2023–2024 platform compromise affecting 29,629 patients, offering two years of identity and medical-fraud monitoring. 

Policy watch: information-sharing law in flux

On Capitol Hill, a failed stopgap funding bill left reauthorization of the Cybersecurity Information Sharing Act (2015) in jeopardy as September closes. The House advanced an update retaining liability protections; a Senate draft with added speech-related provisions stalled. The outcome matters to every hospital that relies on legal safe harbors to share indicators and receive early warning.

Patch & vulnerability radar relevant to health orgs

  • CISA’s weekly Vulnerability Summary (SB25-258) dropped Sept 15, spanning newly published CVEs across common enterprise software—use it to feed KEV-driven prioritization. 
  • CISA added additional items to the Known Exploited Vulnerabilities catalog earlier in the month (e.g., WhatsApp, TP-Link; and on Sept 11 a DELMIA Apriso deserialization flaw). If you’re KEV-aligned, ensure those deadlines are reflected in your patch SLAs. 

What this means for CISOs & security leaders

  1. Expect PhaaS churn, not collapse. The RaccoonO365 takedown raises attacker costs but history shows rapid reconstitution. Prepare users for AiTM-based phish that steal session cookies and bypass weak MFA. Prioritize phishing-resistant authentication (FIDO2/WebAuthn) for email and EHR/administrative identities; enforce continuous session evaluation and token binding where available. 
  2. Tighten identity resilience around O365/Google. Monitor for impossible travel, atypical OAuth grants, and “risky sign-ins.” Block legacy auth, require device trust for privileged roles, and rotate high-value secrets after phishing waves. (Microsoft’s DCU notes health orgs are frequent targets.)
  3. Re-validate web trackers & pixels. The Jefferson Healthcare settlement reinforces that third-party pixels can create unauthorized disclosure risk under HIPAA and state privacy laws. Inventory, remove, or place behind consent walls; update privacy notices and BAAs accordingly. 
  4. Strengthen breach-readiness around PII/financial data. NYBCe’s notice shows how payroll/banking data coupled with PHI complicates response. Validate your data-mapping, DLP on exfil paths, and rapid notification playbooks—especially when you lack complete contact details for all patients.
  5. Keep KEV-first patching discipline. Use CISA’s weekly bulletin and KEV updates to drive risk-based SLAs; track compensating controls where clinical risk prevents immediate patching.

Quick wins for the week ahead

  • Roll out number-matching or phishing-resistant MFA for any straggler user populations; disable SMS codes for admins.
  • Add detections for AiTM indicators: mismatched user-agent/IP during login, anomalous cookie reuse, and OAuth consent grants from unusual locations.
  • Snapshot and review website tag managers; remove non-essential tracking on any page touching PHI or appointment data.
  • Cross-check your asset/patch pipelines against CISA SB25-258 and current KEV entries; document exceptions with interim mitigations.
Back to blog

Leave a comment

Please note, comments need to be approved before they are published.