It’s no secret that the healthcare industry is a target for hackers, with hundreds of companies experiencing cybersecurity incidents each year.
Before the Change Healthcare cyberattack and the CrowdStrike outage in 2024, there were major attacks at Anthem, CareFirst BlueCross BlueShield, and UCLA Health Systems about 10 years prior that had set the industry ablaze. The trend was a wake-up call for providers who were increasingly using electronic health records but perhaps didn’t incorporate enough protections to keep patient data safe online.
Cyberattacks aren’t just invasive for patients—they’re also very costly. IBM reported last year, in fact, that healthcare data breaches cost an average of $9.8 million per incident.
These attacks were a lesson for the entire industry in 2015, and experts spoke with Healthcare Brew about how the approach to cybersecurity shifted after.
“The only thing that really moves the needle in cybersecurity is a high-profile attack,” Mark Stockley, a cybersecurity expert, said.
Looking back at attacks
The first breach began in February 2014 but wasn’t disclosed until about a year later when health plan Anthem announced a hacker had stolen personal information—including names, health identification numbers, dates of birth, social security numbers, addresses, telephone numbers, email addresses, and employment and income information—of 78.8 million former and current members.
The hack was reportedly found by a database administrator who noticed his credentials were being used without his permission, according to the California Department of Insurance. The company said in January 2015 the database was shut down immediately following the discovery, and staff changed their passwords. The company paid at least $180 million through 2020 to settle lawsuits related to the incident.
Soon after in June 2014, CareFirst, a BlueCross BlueShield company, experienced a cyberattack that exposed “a single database” associated with the company’s website and online services. The company announced in May 2015 hackers had stolen personal information about 1.1 million members and business associates.
Also in May 2015, UCLA Health confirmed it had been hit by a cyberattack that was suspected as early as October 2014, tech news site TechTarget reported. The attack impacted 4.5 million patients. Data like names, social security numbers and medical information had been stolen, and UCLA Health paid a $7.5 million settlement in March 2019 for not reporting the breach sooner under the HIPAA privacy rule.
None of these companies provided comments on the attacks.
Lessons learned
Part of the problem in the Anthem attack, in particular, was that the company hadn’t encrypted personal information, Leeann Nicolo, incident response lead at cybersecurity insurance company Coalition, who also worked on recovery for the Anthem attack, said. Encryption includes changing data and information into code, so it’s harder for hackers to determine the meaning.
Back in 2015, encryption and multi-factor authentication (MFA) were not norms like they are today, she added. (Some companies still don’t have MFA requirements, as seen in the Change cyberattack).
“The breaches were wake-up calls that exposed how vulnerable this data could be,” she said, adding she remembers thinking healthcare lagged behind other industries in being prepared for hacks.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
Cyberattacks against the healthcare industry are on the rise. A 2025 data breach report from Verizon found that the industry saw 1,710 security incidents between Nov. 1, 2023, and Oct. 31, 2024—an increase from 1,378 security incidents the year before.
Since 2015, Nicolo said budgets for threat detection as well as investments in security operation centers and endpoint detection and response tools have increased “significantly.”
A survey of 273 healthcare cybersecurity professionals by the Healthcare Information and Management Systems Society found that 52% of respondents said their organizations “would increase” IT budgets from 2024 to 2025.
Attacks led to the establishment of other norms like remote desktop protocol for people working outside the office and robust offline backups, which are secondary secure places for data to be stored in case of emergency. There’s also been a push to move cybersecurity from a smaller IT concern to a “strategic board-level risk,” Nicolo said.
“[Execs] started planning for it financially—they put people in positions where that was their only role,” she said.
There’s also more awareness today compared to 10 years ago around phishing attacks, where a user is tricked into providing personal information, Nicolo said. However, she said these attacks have become “more sophisticated,” employing methods like using token theft, or a tactic through which a bad actor obtains MFA information to access accounts.
Regulations—such as stricter enforcement and fines from HIPAA and the FDA as well as state privacy laws like the 2018 California Consumer Privacy Act—have also created more protections for healthcare data.
“There’s “more regulations with more teeth,” Nadya Bartol, managing director at consultancy BCG Platinion, said.
Looking forward
While the industry has learned some lessons, this remains a continuous cycle: New tech emerges as fast as it can to beat its competitors to market, but as a result, sacrifices cybersecurity along the way.
When the inevitable attack comes and sensitive data that wasn’t properly safeguarded is compromised, then new regulations are drafted and safety protocols are adopted, Bartol said.
“We need to learn to move fast and not break things,” Bartol said.
One area that needs more scrutiny, Nicolo said, is the use of third-party vendors, as some companies assume those groups have security covered. It’s important to vet suppliers, make sure they have proper security, staffing, and training, and that their systems are up to date, Nicolo said.
Additional regulations may be coming to the industry. A healthcare cybersecurity act was introduced in Congress in June that would require the federal Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services to work together and study cyber risks to the healthcare industry.
Meanwhile, attacks continue to get more advanced.
“Maybe there is more of a business case for getting first to market responsibly because if you’re not responsible, you’re going to suffer consequences,” Bartol said.