September 20–26, 2025: Healthcare Cybersecurity - What Mattered This Week

It was a week that mixed fresh breach disclosures with hard-edged guidance from federal cyber authorities—and a reminder from the courts that operational failures in security can echo for years. Below are the developments healthcare CISOs and operators should have on their radar.

Two big U.S. provider disclosures

Goshen Medical Center (NC) begins notifying 456,385 people. On September 20, Goshen Medical Center confirmed notifications tied to a February intrusion later claimed by the BianLian ransomware group. Reported impacts include names, addresses, dates of birth, SSNs, driver’s license numbers and medical record numbers. Local media and trade outlets corroborated the notice this week as letters went out to patients across eastern North Carolina.

Archer Health exposes ~145k records via an open database. Researcher Jeremiah Fowler reported a 23GB, unencrypted, password-free trove of PDFs and images tied to Archer Health (home health & palliative care), containing PHI and identifiers such as diagnoses, plans of care and SSNs. The bucket was secured after disclosure, but the incident underscores how simple misconfigurations still translate into large-scale PHI exposure. Multiple outlets validated the scope this week. 

Federal orders & exploit activity that touch hospital networks

CISA’s emergency directive on Cisco firewalls. On September 25, CISA ordered U.S. civilian agencies to immediately audit and remediate Cisco ASA/Firepower devices after active exploitation of two new Cisco flaws by sophisticated adversaries. While aimed at federal networks, the directive is a clear signal to health systems using the same platforms: inventory externally exposed devices, apply Cisco’s mitigations, and review for compromise.

Ivanti EPMM (MobileIron) exploitation persists. CISA’s Malware Analysis Report (Sept 18) detailed two malware sets used in the wild to drop “malicious listeners” on Ivanti EPMM servers by chaining CVE-2025-4427 (auth bypass) and CVE-2025-4428 (RCE). Many health orgs still run legacy MDM on-prem; if EPMM remains in your stack, confirm you’re on patched builds and hunt for the indicators of compromise in the report.

Litigation & regulatory signals

Ascension breach class action moves forward—partly. A federal judge allowed negligence and some consumer-protection claims to proceed against Ascension stemming from its May 2024 ransomware incident (5.4M affected), while dismissing others (e.g., contract claims). Translation: plaintiffs can probe whether “reasonable” safeguards were in place—fuel for discovery and a warning to peers about documentation and control maturity.

New York hospital cyber rules—enforcement bite. Industry coverage this week highlighted that New York’s 2024 hospital cybersecurity regulation is entering an enforcement phase. For multi-state systems, harmonize NY’s requirements (incident reporting timelines, program elements) with HIPAA Security Rule controls to avoid duplicative work and surprise audits.

Macro context: breach pressure stays high

HIPAA Journal’s continuously updated dashboard (refreshed Sept 20) shows 2025 continuing to be dominated by hacking, with business associates and supply chain risk inflating the scale of incidents—an apt backdrop for this week’s mix of misconfigurations and third-party device exploits. 

What to do now (practical moves for the next 7–14 days)

1. Harden the edge: If you operate Cisco ASA/Firepower, follow the emergency-directive playbook—enumerate internet-facing devices, validate software versions, apply Cisco guidance, and review logs & configs for tampering. Prioritize legacy or end-of-support hardware.
2. MDM threat-hunt: For Ivanti EPMM, verify patch levels from May releases onward and hunt for CISA’s malicious-listener IOCs/YARA/SIGMA. Treat MDM as a high-value asset with restricted admin access, TLS termination hygiene, and tight network ACLs. 
3. Cloud storage sanity check: Run an immediate sweep for publicly exposed object storage (S3/Azure Blob/GCS) across your tenants and vendors. Require encryption at rest/by default, enforce bucket policies, and monitor for anonymous access. Archer’s leak is a reminder that “no auth” equals “public breach.” 
4. Regulatory mapping: If you have New York facilities, map the state’s hospital cybersecurity rule into your enterprise control framework and incident response SLAs; confirm your 72-hour state reporting workflow dovetails with HIPAA/OCR timelines. 
5. Discovery discipline: In light of the Ascension ruling, validate that risk assessments, control inventories, and vendor due-diligence artifacts are current and demonstrable. Assume plaintiffs (and regulators) will request them after an event. 

The bottom line

This week’s headlines reinforced three truths: attackers will keep chaining edge-device bugs to get inside; basic misconfigurations still cause outsized PHI exposure; and the legal/regulatory perimeter is tightening. Keep your patch & exposure management sharp at the perimeter, pressure-test vendor and storage controls, and make sure your documentation is strong enough to stand up in court—or better yet, to prevent you from getting there.