How healthcare organizations respond and recover from data breaches

According to the Paubox report titled; The Top 3 Healthcare Email Attacks in 2025 and How to Defend Against Them, the United States Department of Health and Human Services recorded 170 email-related healthcare breaches in 2025 alone, affecting more than 2.5 million individuals. As Forrester notes in the same report, "Process failures and human error continue to be a persistent cause of data exposure, particularly when security controls rely on user judgment." The following breaches show how four organizations faced breaches head-on and responded swiftly.

St. Dominic-Jackson Memorial Hospital

St. Dominic-Jackson Memorial Hospital in Jackson, Mississippi identified a pattern of employees inappropriately accessing patient records without authorization. Motivations were curiosity, concern about a coworker or family member, and in some cases, malicious intent such as monitoring a spouse during a divorce. In the first month of monitoring, HIPAA privacy and security officer Dena Boggan uncovered approximately 50 incidents of inappropriate data access.

The hospital responded by deploying privacy breach auditing software, which enabled daily auditing of every record across all systems and generated automated alerts within hours of a suspected violation. When an incident was flagged, the employee's supervisor was notified, an investigation was launched, and the individual was brought into a meeting with Boggan, their manager, and HR.

The hospital also implemented a tiered sanctions framework which consisted of verbal warning, written citation, final warning, and termination with the option to fast-track dismissal in cases involving malicious intent or the records of public figures. Staff were also given coaching to ensure violations did not reoccur.

Following implementation, incidents dropped from approximately 50 per month to just one or two every two months. In six years, only three employees were dismissed as a result of breaches.

Ascension Health

In May 2024, Ascension, a Catholic nonprofit health system operating 140 hospitals across 19 states, detected unusual activity on its technology network systems. The suspected cyberattack caused disruptions to clinical operations and interrupted access to certain systems.

Ascension advised all business partners to temporarily disconnect from its environment to contain the potential spread. The organization hired a third-party cybersecurity firm to assist with investigation and remediation, and notified the appropriate authorities. Measures were put in place to ensure patient care remained safe and as uninterrupted as possible throughout the incident.

Ascension maintained transparent public communication throughout, providing updates on the situation and the steps being taken to resolve it. The organization's ability to act quickly and decisively showed the necessity of having a tested incident response plan ready before a breach occurs.

SimonMed Imaging

In late January 2025, SimonMed Imaging, an outpatient medical imaging and radiology provider in the United States, was notified by a vendor of an ongoing security incident. The following day, SimonMed detected suspicious activity on its own network and launched an immediate response which included resetting passwords, enabling two-factor authentication, deploying endpoint detection and response monitoring tools, and removing all third-party vendor direct access to its systems.

Despite these measures, the ransomware group Medusa had already gained access. Between January 21 and February 5, 2025, attackers exfiltrated 212 gigabytes of data belonging to 1.2 million patients, including ID scans, medical reports, raw imaging scans, payment details, and account information. Medusa demanded $1 million to delete the data, with an additional $10,000 per day to delay its public release.

In the aftermath, SimonMed notified relevant authorities, engaged third-party cybersecurity experts to conduct a full post-incident assessment, and filed a report with the Office of the Maine Attorney General. All 1.2 million affected individuals were offered free identity theft and credit monitoring services.

Yale New Haven Health

On March 8, 2025, Yale New Haven Health, the largest healthcare system in Connecticut, identified unusual activity affecting its IT systems. An unauthorized third party had gained access to the network and obtained copies of certain patient data, including names, dates of birth, addresses, contact details, Social Security numbers, patient types, and medical record numbers for some individuals.

Yale New Haven Health contained the incident on the same day it was detected, launched an investigation with the support of external cybersecurity experts, and reported the matter to law enforcement. The organization confirmed that its electronic medical record system was not accessed during the incident, and that no financial accounts, payment information, or employee HR data was compromised. Patient care was not disrupted at any point.

Following the investigation, YNHHS mailed notification letters to all affected patients and established a dedicated toll-free call center to handle patient inquiries. Patients whose Social Security numbers were involved were offered complimentary credit monitoring and identity protection services. The organization publicly committed to continuously updating and enhancing its systems to better protect patient data going forward.

What healthcare organizations can learn

• Implement continuous audit monitoring. Use automated tools to flag unusual access in real time. As the Paubox report warns, "once credentials are compromised, downstream controls often fail to recognize the account as compromised," making early detection essential.
• Train staff regularly. Most breaches tied to human error are preventable, but are still a persistent cause of errors, as the Paubox report notes.
• Enforce the principle of least privilege. Staff should only access records they need for their role. Limiting access by default reduces risk from both insiders and outside attackers.
• Have an incident response plan. Ascension and YNHHS responded quickly because they had plans ready. Know who to call, what to shut down, and how to communicate before an incident happens.
• Require multi-factor authentication (MFA) across all systems. SimonMed turned on MFA only after the attack started. The Paubox report identifies MFA being "treated as a backstop rather than a preventive control" as one of the most common defense failures.
• Manage third-party vendor access. The Paubox report found that nearly one in three email breaches in 2025 involved a business associate. EY, cited in the report, found that "healthcare organizations report limited visibility into third-party cybersecurity controls, despite increasing reliance on vendors for core operations." Give vendors only the access they need, monitor it closely, and cut it off the moment something looks wrong.
• Segment and protect critical systems. YNHHS limited its breach damage because its electronic medical record system was kept separate from the broader network.
• Encrypt all devices and sensitive data. Laptops, phones, and portable storage holding patient data must be encrypted.
• Communicate quickly and transparently with affected patients. Tell patients what happened, what was taken, what was not, and what help is available. Every organization in these stories made that a priority, and it matters for maintaining trust.
• Build a culture of security. As Boggan put it at St. Dominic's, "with breaches, it's not a matter of if, it's when." Microsoft, cited in the Paubox report, observes that "attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links." When security is treated as an ongoing priority, the whole organization follows.

FAQs

Are smaller healthcare organizations at as much risk as large hospital systems?

Yes, smaller providers are often more vulnerable because they have fewer dedicated security resources.

Can cyber insurance cover the costs of a healthcare data breach?

Cyber insurance can offset costs like forensic investigations, legal fees, and patient notification.

How long does a breach investigation take?

Investigations can range from a few weeks to several months depending on the complexity of the attack and the volume of data involved.

What legal obligations do healthcare organizations have after a breach?

Under HIPAA, covered entities must notify affected individuals, the Department of Health and Human Services, and in some cases the media within 60 days of discovering a breach.