Skip to main content
Emerging ThreatsData Breaches

Smaller Healthcare Providers Targeted in Rising Wave of Cyberattacks

A small medical clinic's waiting room with a reception desk and chairs, bathed in soft daylight.

"There is no such thing as an isolated healthcare breach," field CISO and CTO Skip Sorrels warned, and recent federal filings make that assertion hard to dispute. Eight hacking incidents reported in recent weeks to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool affected nearly 2 million individuals, with single breaches ranging from about 100,000 to nearly 600,000 patients.

Recent incidents and their scale

The breach notices name a range of smaller medical practices across specialties and regions. The notices include Coastal Carolina Health Care in North Carolina, where a hack affected 110,304 individuals, and Erie Family Health Centers in Pennsylvania, where an incident affected 570,000 patients. Many notices state that patient data — including names, Social Security numbers and medical information — was determined to be "accessed or acquired" during investigations into incidents involving "unusual activity" that disrupted access to or operations of IT systems.

Verizon’s 2025 findings: smaller organizations disproportionately hit

Verizon's 2025 annual breach analysis reinforces the pattern. Of 1,492 healthcare security incidents identified for 2025, smaller entities employing up to 1,000 workers were the predominant victims, accounting for 472 incidents; larger organizations figured in just 21 incidents. Verizon identified "financial" motives for the vast majority of healthcare hacks it examined, followed by espionage.

Why attackers see small providers as low-hanging fruit — Mike Hamilton

Mike Hamilton, CISO emeritus at IT provider Datec Inc., described several reasons smaller providers attract attackers. He said there are simply more small targets and they often have reduced capacity to support critical cybersecurity controls. He added that an increase in threat actors, "facilitated by cybercrime 'affiliate' models," means more actors are "out shopping for victims" and that small healthcare facilities are considered low-hanging fruit likely to pay extortion because of their criticality. Regarding espionage, Hamilton noted it is "likely focused on research" — patentable drugs, cancer treatments and information about readiness for another pandemic — all items that could be valuable to nation states or used in military planning.

Interconnected supply chains, exploited vulnerabilities, and AI-assisted scaling

Sorrels emphasized the systemic risk: regional specialty clinics and mid-sized providers are often "trusted backend nodes" for larger networks, clearinghouses or pharmacy chains. That interdependence, he said, means failing to secure the weakest links enlarges the "blast radius" of breaches.

Verizon identified the top initial access vectors in healthcare as exploitation of vulnerabilities, phishing and credential abuse. Many vulnerability-exploitation incidents linked to third parties, with the Oracle E-Business Suite vulnerability cited as an example in recent reporting. The report also flagged an accelerating danger: Anthropic's Claude Mythos model for vulnerability identification — which Mike Hamilton said "is not unique" — and Sorrels added that AI "changes the math because it eliminates the manual labor of scanning, identifying device makes and models, and guessing passwords," turning a tedious, one-by-one targeting process into "an automated, mass-scale dragnet."

What this means for technologists, policymakers, and providers

  • Technologists and security teams: expect more exploitation of third-party software and credential-based attacks, and prepare for AI-enabled reconnaissance that increases the scale and speed of targeting.
  • Policymakers and regulators: filings to the HHS HIPAA Breach Reporting Tool show the scale of patient-impacting incidents; those notices, and Verizon’s incident counts, illustrate concentrated risk among smaller entities that interface with broader health networks.
  • Affected enterprises and procurement leaders: the pattern underlines supply-chain exposure — mid-sized clinics and specialty providers often serve as backend nodes to larger systems, so procurement and third-party risk assessments will determine how widely a breach can propagate.

The record in recent weeks is stark: nearly two million patient records touched across eight breaches, widespread motives ranging from financial gain to espionage, and initial access methods that exploit both human weaknesses (phishing, credential abuse) and technical holes (vulnerabilities in third-party systems). With AI tools that can automate discovery of those holes, the question is no longer whether the blast radius will expand — the filings and analyses suggest it already is. Securing the "weakest links" in the medical supply chain, as Sorrels put it, will determine whether these incidents remain confined to smaller practices or continue to ripple across the healthcare ecosystem.

Original story