September 6 - 12, 2025 Healthcare Cyber Review

Ransomware and breach notifications dominated the week.
South Dakota’s Huron Regional Medical Center began mailing breach notices on Sept 9 after confirming unauthorized network access and exposure of clinical and billing data; the incident is not yet posted on HHS OCR’s breach portal, so the total impacted remains unknown. Wayne Memorial Hospital, a community provider in Georgia, disclosed that more than 160,000 individuals were affected by a previously undetailed ransomware attack, with stolen data ranging from SSNs to diagnosis and prescription details, according to notifications filed with state AGs and reported Sept 9. 

Email remains a soft spot—and attackers know it.
Radiology Associates of San Luis Obispo (CA) said 13,158 people were affected after an intruder accessed employee email accounts across February–March; North Oaks Health System (LA) reported exposure of messages and attachments for 6,243 patients following suspicious email activity in late May/early June. Both organizations are tightening controls and offering monitoring. 

Third-party risk continues to ripple.
Franklin Dermatology Group (TN) confirmed it was swept up in last year’s breach at collections vendor Nationwide Recovery Service; the provider reported 2,457 affected and is now notifying patients itself after delays by the vendor—another reminder that BA incidents keep landing on providers’ doorsteps months later.

A cautionary tale in accidental exposure—at scale.
In New South Wales, Australia, a misconfiguration at two health-district websites publicly exposed highly sensitive credentialing documents for nearly 600 clinicians, including passports and driver’s licenses, before removal. The episode underscores that not all “breaches” are intrusions; basic web governance failures can be just as damaging—especially for identity theft. 

Regulatory spotlight: OCR gets the keys to Part 2 enforcement.
Law-firm analyses this week highlighted HHS’s late-August move delegating enforcement of 42 CFR Part 2 (SUD confidentiality rules) to the Office for Civil Rights. That shift brings HIPAA-style civil monetary penalties and resolution agreements to Part 2 violations and aligns complaint handling with HIPAA processes. Expect increased scrutiny of SUD data flows, consent management, and redisclosure controls as organizations work toward the Feb 16, 2026 compliance deadline set by the 2024 final rule. 

Litigation watch: post-incident costs keep accruing.
Revenue-cycle firm R1 RCM and Dignity Health’s St. Rose Dominican Hospital agreed to a $675,000 class-action settlement tied to an earlier breach, a small but visible data point in the mounting legal drag from healthcare cyber incidents. Even modest settlements add to forensic, notification, credit-monitoring, and operational costs that can linger long after containment.

National risk posture: KEV update and OT/Facilities exposure.
On Sept 11, CISA added CVE-2025-5086 (a deserialization flaw in Dassault Systèmes DELMIA Apriso) to its Known Exploited Vulnerabilities catalog—another reminder to work KEV items into patch governance, even when products aren’t “clinical.” The same day, CISA issued multiple ICS advisories (e.g., Daikin Security Gateway; Schneider/Siemens components) that can touch hospital building automation, HVAC, and plant networks—areas that increasingly intersect with care operations and downtime risk.

Signal amid the noise: attacker economics remain favorable.
Fresh cyber-insurance data released Sept 9 shows fewer claims resulting in loss year-over-year, but ransomware still accounts for 91% of incurred losses—evidence that while some defenses improve, successful cases are getting costlier. For hospitals already battling thin margins, the takeaway is simple: resilience beats purity; tighten recovery times and vendor failovers.

What this means for healthcare CISOs and security leaders

1) Double-down on identity and email controls.
Recent disclosures again point to compromised mailboxes as the entry point. Enforce phishing-resistant MFA across O365/Entra ID, remove legacy protocols, and implement conditional access with device compliance. Back it with least-privilege mailbox access, suspicious-rule detection, and user-reported phish triage SLAs.

2) Treat facilities OT as part of clinical uptime.
Map dependencies between BMS/HVAC and clinical workflows. Segment OT networks, apply vendor mitigations from current ICS advisories, and include OT in incident exercises and BC/DR runbooks (cooling failures can shut down imaging, pharmacies, and ORs as surely as an EHR outage).

3) Tighten third-party governance.
Re-assess business associates handling payments/collections and imaging. Require event-of-incident notification windows, proof of logging/EDR, immutable backups, and tabletop participation. Track BA findings to closure; vendor delays can become your reputational risk. 

4) Prepare for expanded enforcement on SUD data.
Inventory Part 2 data sources, consent artifacts, and redisclosure pathways; align with HIPAA right-of-access and minimum-necessary. Update policies, workforce training, and DLP rules for Part 2 tags now—well ahead of Feb 2026.

5) Budget for the long tail.
The R1 RCM settlement is a reminder that legal and remediation costs persist long past recovery. Build post-incident reserves into your risk register and cyber-insurance discussions, including class-action exposure and patient protection services.