In 2023, over 167 million individuals were affected by healthcare data breaches — a record. More than 90% of those breaches involved phishing, weak passwords, or outdated systems. The healthcare sector is the most-targeted industry for data theft, and the penalties for a reportable breach go well beyond the cost of the incident itself.
Every medical practice that handles protected health information is required to meet HIPAA's technical safeguard standards. But there's a distinction that matters: being compliant and being secure are not the same thing. Compliance is the minimum floor. The breaches that make headlines happen to organizations that met compliance requirements on paper while leaving exploitable gaps in practice.
What attackers are after
Patient records sell for significantly more than credit card data on the black market. A stolen credit card can be cancelled. A patient record — with Social Security numbers, insurance information, medical history, and billing data — is far more valuable and far more difficult to remediate. That's why healthcare is a persistent target and why practices of every size are in scope.
The three vulnerabilities we see most often
Phishing into EHR systems. Staff receive a convincing email, click a link, enter credentials, and hand an attacker access to the practice's EHR. From there, patient records can be exfiltrated in bulk before anyone notices. Email security filtering and staff training are the two controls that most directly reduce this risk.
Weak or reused passwords. A password used on a personal account that gets exposed in an unrelated breach can unlock your practice's systems if staff are reusing credentials. Password managers and MFA close this gap.
Outdated systems. Legacy Windows systems that are past end-of-life, EHR software running on unpatched servers, network equipment that hasn't been updated — these carry known vulnerabilities that attackers actively scan for. Patching and lifecycle management aren't glamorous, but they're effective.
What audit-ready actually looks like
HIPAA requires documented policies and technical controls — not just having them, but being able to demonstrate them. When a breach occurs, the OCR investigation asks for evidence: risk assessments, access logs, training records, incident response documentation. Practices that have this in order face significantly better outcomes than those scrambling to reconstruct it after the fact.
A regular security review — ideally annual, with quarterly check-ins — keeps the documentation current and the controls effective. It also simplifies cyber insurance renewals, which increasingly require evidence of specific controls before coverage is issued.
