Hackers don’t need to attack hospitals… they have a MUCH easier target!

Written By L Trotter II

Introduction

Cyberattacks targeting health tech companies that power healthcare data and services have surged in recent years.

Unlike hospitals and clinics, these firms often operate behind the scenes, managing cloud services, billing, telehealth, and data processing.

However, a single breach at a vendor can expose millions of patient records or disrupt care across multiple facilities.

This deep dive looks at some of the most notorious cybersecurity incidents in health tech from 2019 to 2024.

These cases involve ransomware attacks, large-scale data breaches, insider threats, and supply chain vulnerabilities, each offering valuable lessons for securing digital health systems.

We’ll also explore the regulatory and legal consequences that followed and what health tech leaders can do to mitigate similar risks.

Case Studies: Major Cyber Threats in Health Tech

Ransomware Attack on Elekta (2021) – Disrupting Cancer Care

In April 2021, Swedish oncology IT provider Elekta suffered a ransomware attack that compromised its cloud-based radiology software used by U.S. healthcare providers (Paubox).

Hackers accessed Elekta’s cloud platform between April 2 and April 20, stealing data before launching ransomware (HIPAA Journal).

The consequences were severe.

170 healthcare providers relying on Elekta’s cloud service were affected.

Many hospitals had to take their radiation treatment systems offline, forcing them to delay or reschedule cancer therapies.

At Northwestern Memorial Healthcare, the entire oncology database including 201,000 patient records was breached (HIPAA Journal).

Elekta responded by shutting down its U.S. cloud servers on April 20 to contain the attack.

The company provided credit monitoring to affected patients and collaborated with law enforcement and forensic investigators.

A class-action lawsuit was filed, arguing Elekta’s security failures allowed the breach to happen.

While, as of 2024, no OCR (Office for Civil Rights) fine against Elekta has been announced publicly, the breach is under investigation as a major HIPAA violation.

This case reinforced that ransomware on a vendor can trigger liability if failure to implement required safeguards (e.g. risk analyses, monitoring) is found​.

In fact, in a similar case, a medical billing vendor settled with OCR for $100,000 after a ransomware incident revealed lax security practices.

The Office for Civil Rights (OCR) is investigating the attack as a potential HIPAA violation, reinforcing that vendors can face liability if security safeguards are inadequate.

Third-Party Billing Breach – AMCA (2019) and Massive Data Exposure

In 2019, the American Medical Collection Agency (AMCA) suffered one of the largest health data breaches on record.

Hackers had undetected access for eight months, stealing 21 million patient records from dozens of healthcare organizations.

The breach affected major diagnostic companies, including Quest Diagnostics (11.9 million patients) and LabCorp (7.7 million patients).

Stolen data included names, birthdates, account balances, and even financial information.

After the breach was discovered, AMCA’s healthcare clients sent out millions of breach notification letters as required by HIPAA.

However, the company was overwhelmed by legal and notification costs and ultimately filed for Chapter 11 bankruptcy.

A coalition of 41 state Attorneys General launched an investigation, leading to a $21 million settlement with mandated security improvements.

This led to calls for stronger vendor risk management and perhaps contributed to OCR emphasizing business associate compliance more in subsequent guidance.

Blackbaud (2020) – Ransomware Exposes Millions via a Cloud Vendor

Cloud service provider Blackbaud suffered a ransomware attack in May 2020.

Hackers infiltrated the company’s data center, exfiltrated sensitive data, and launched a ransomware payload.

Over 10 million healthcare patients and donors were affected, with stolen data including Social Security numbers, bank account information, and donation records.

Blackbaud paid a ransom of $235,000 in Bitcoin to prevent data leaks.

However, the company later faced 25+ class-action lawsuits and a $3 million SEC fine for misleading investors about the breach.

The FTC also required Blackbaud to implement independent cybersecurity audits.

Insider Threat at a Vendor – Nuance Communications (2023)

A former employee at Nuance Communications, a health tech transcription provider, accessed over 1 million patient records after being fired.

The FBI arrested the individual, who now faces federal charges for HIPAA violations.

OCR launched an investigation, citing possible security lapses.

In response, Nuance reviewed its employee access policies, reinforcing the importance of strict access controls.

Key Takeaways for Health Tech Companies

Strengthen Ransomware Defenses

  • Health tech companies need to implement network segmentation to prevent ransomware from spreading.

  • Establishing zero-trust security architectures can further limit unauthorized access.

Prioritize Third-Party Risk Management

  • Regular security audits of vendors handling patient data should be a standard practice.

  • Companies must also enforce strict cybersecurity requirements in contracts with suppliers.

Monitor for Insider Threats

  • Automating access revocation for terminated employees is crucial.

  • Using behavioral monitoring tools can help detect suspicious data access before damage is done.

Conclusion: The Future of Health Tech Cybersecurity

Cyberattacks on health tech companies are increasing in scale and sophistication, making vendors as accountable as hospitals under HIPAA.

Moving forward, proactive cybersecurity strategies, stricter vendor oversight, and transparent breach response plans are essential for protecting patient data and maintaining compliance.

By learning from past breaches and using security frameworks, digital health companies can reduce regulatory risks, protect patient information, and reinforce trust in their technology.

I help teams build secure systems to manage threats efficiently.

Let’s talk.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

Is Health Tech Losing the Cybersecurity Battle to Bad Tech or Bad Habits?
Next

Ransomware Isn’t the #1 Risk in Healthcare Anymore