Kettering Health under cyberattack, visualized with binary overlay and Chibitek security watermark.
Under the Knife: Inside the Cybersecurity Crisis Threatening American Healthcare
In the last half year, America’s healthcare systems have faced a string of cyberattacks with escalating consequences. Behind the news alerts are deeper problems that go beyond firewalls and passwords. Patient care has been delayed, data stolen, and entire hospitals forced to return to paper. As more attackers strike with advanced tactics and broader targets, the industry has struggled to respond. This report looks at recent confirmed breaches, how attackers gained access, and what might have prevented them. The facts paint a clear picture. Hospitals are unprepared. And the cost of that is growing.
On May 8, 2025, Kettering Health, a nonprofit network of 14 hospitals, reported what it called a “system-wide technology outage.” Within days, the Interlock ransomware group claimed credit and published a sample of stolen data. The leak included patient files and internal documents. While Kettering has yet to release a full incident breakdown, Interlock has used a known set of techniques in previous campaigns, including stolen credentials, exposed remote desktop access, and credential stuffing.
Without access to its digital systems, Kettering staff were forced to handwrite notes and track appointments manually. A nurse at one facility told local reporters that “it felt like stepping back into the last century.” Elective procedures were canceled. For those relying on accurate, instant health records, the delay could have real consequences. Investigators believe early detection tools could have isolated the threat before data was removed from the system.
The breach of Change Healthcare, now owned by UnitedHealth, was one of the most destructive in U.S. medical history. On February 21, attackers from the ALPHV/BlackCat ransomware group used valid login credentials to access a Citrix remote access system that lacked multi-factor authentication. The attack remained undetected for more than a week.
The result was nationwide disruption. Doctors couldn’t fill prescriptions. Insurance claims were frozen. Hospital billing systems stalled. UnitedHealth later confirmed a ransom was paid. The U.S. Department of Health and Human Services announced that more than 190 million patient records may have been affected. Cybersecurity analysts from Mandiant stated in a technical postmortem that better segmentation and basic access controls could have stopped the attack early.
In Camden, Cooper University Health Care filed a notice with state regulators confirming that 57,000 patients had their data accessed without authorization. Legal filings suggest that full names, treatment information, and insurance records were exposed. While the breach has yet to be traced to a specific source, several security researchers have pointed to third-party billing software as a likely vulnerability. No public forensic report has been issued.
A class-action lawsuit was filed in New Jersey Superior Court within two weeks. In it, plaintiffs alleged that Cooper had failed to adopt industry-standard security controls. The case remains ongoing. Meanwhile, healthcare privacy experts at the Rutgers Institute for Health, Health Care Policy and Aging Research noted in a May 27 interview with NJ Spotlight News that “system integrations with weak authentication are among the most common exposure points in healthcare breaches.”
In mid-April, DaVita confirmed that twelve of its dialysis clinics in San Antonio were affected by a ransomware attack that disrupted internal networks and disabled parts of its communications infrastructure. DaVita quickly switched to manual patient tracking and emphasized that no treatments were missed. However, the company declined to share how attackers gained access.
According to a review by the Texas Department of Information Resources, the affected clinics had not yet migrated to DaVita’s newer endpoint management system. Analysts familiar with the report, speaking under condition of anonymity to The San Antonio Express-News, noted that older desktop systems in use at outpatient centers were not covered by real-time detection tools, which may have left the network blind to early signs of the intrusion.
Oracle Health acknowledged in March that attackers had accessed patient data from legacy Cerner EMR installations still active in hospitals not yet migrated to Oracle’s updated security platform. The attackers reportedly exploited known vulnerabilities in Cerner web applications that had been flagged by security researchers as early as 2023.
Doctor attempts to log into EPIC system during cyberattack, with red skull warning displayed on screen and Chibitek watermark present.
While Oracle released no public statement at first, internal correspondence was leaked to BleepingComputer showing that the breach remained undetected for multiple weeks. The affected systems were running outdated software with unsupported APIs. One former Oracle security engineer told the outlet that “it was like a window had been left wide open for months.”
While each case is different, they reflect a familiar pattern. Attackers often begin with a single weak spot—a stolen password, an unpatched system, or a forgotten access point—and move laterally across a network. Once they establish control, data exfiltration or encryption happens rapidly.
Across the board, there were missed opportunities. Multi-factor authentication was either missing or incomplete. Network segmentation was weak or nonexistent. Alerts were missed or never triggered. In every case, earlier detection could have either stopped the threat or reduced its impact. The repeated failure to apply updates, rotate credentials, and monitor user behavior allowed attackers to turn small cracks into full outages.
Yes, and the methods aren’t secret. In most cases, basic cyber hygiene—patching, access control, authentication layers—would have made these attacks far harder to pull off. More importantly, artificial intelligence is now capable of watching for the types of behavior that precede an attack. AI doesn’t need to wait for a virus signature. It notices when one user downloads too much at once. When an application acts outside its normal pattern. When a device is talking to an unusual location.
The security teams that had this capability in place saw threats earlier. The ones that didn’t had no chance to respond until damage was already done.
Phishing emails remain one of the most common entry points for attackers, especially in healthcare. Without regular user training and simulated phishing drills, even highly secure systems can be compromised by a single unsuspecting click. Security awareness must become part of daily clinical culture, not just a checkbox during onboarding.
At the same time, stronger email filtering tools could have stopped many of these messages from ever reaching staff. Techniques such as real-time link scanning, attachment sandboxing, and domain authentication protocols like SPF, DKIM, and DMARC are essential to modern email defense. Yet too many organizations still rely on outdated filtering rules that miss advanced social engineering attempts.
Modern cybersecurity is about staying alert. It requires active systems that adapt in real time and learn from what they see. The tools exist today, but too many healthcare systems still rely on infrastructure that doesn’t see the threa
t until it’s already too late.
Chibitek uses a layered approach, but the foundation is smart detection. We deploy advanced AI tools that learn from every endpoint, every login, every shift in behavior. These systems are trained to notice what most IT teams cannot. They respond to threats before they turn into outages. They isolate systems, lock accounts, and alert our engi
neers in real time.
We also recognize that healthcare environments are complex. That’s why our platform includes visibility into every device, including mobile and legacy systems. Whether we’re protecting a single practice or a nationwide hospital group, we treat every weak point as a potential target.
Security isn’t just a product we offer. It’s the standard we hold ourselves to.
Cyberattacks on healthcare systems are no longer rare events. They are the background noise of a c
onnected world that hasn’t secured itself. What makes these attacks dangerous isn’t how advanced they are. It’s how preventable they were.
The hospitals that were hit are still recovering. The patients affected may never fully know what was lost. What’s clear is this: the next breach is already being planned. The only thing left to decide is who will be ready for it.
This Isn’t Just a Cybersecurity Threat—It’s a Patient Safety Risk
In healthcare, session token hijacking isn’t just a technical flaw—it’s a direct threat to patient privacy, clinical operations, and institutional trust. A single compromised token can lead to unauthorized access to electronic health records, fraudulent billing activity, or even malicious emails impersonating hospital staff.
Today’s attackers don’t need to break through firewalls. They use stolen credentials or active tokens to slip through the front door—quietly, and often without detection.
At Chibitek, we advise our healthcare partners to treat token security and session monitoring as a vital element of business continuity. This isn’t just an IT hygiene issue. It’s a matter of patient safety, compliance, and reputation resilience.
🚀 Ready to Work with Award-Winning IT Experts?
Whether you’re scaling your creative agency or leading a fast-moving startup, we’ve got the tools, team, and mindset to help you grow.
Click here to schedule your FREE Cyber Assessment today!
We Make IT Effortless, So You Can Disrupt, Create, and Grow
