Lessons from Recent Healthcare Breaches 2025
TL;DR
Episource, Illinois Department of Healthcare & Family Services, and others recently disclosed data breaches. Each reveals a different kind of vulnerability from third-party mistakes to insufficient internal controls. Plus, menstrual tracking apps are under fire for privacy violations, raising big questions about how we treat sensitive data in digital health. In this issue, I unpack what went wrong, what’s at stake, and what you should be doing differently right now.
Recent Healthcare Breaches A Quick Overview
The recent weeks have been particularly rough for healthcare.
Here are four incidents you must know about:
Episource LLC
What Happened: Episource, a healthcare SaaS provider and business associate of Sharp HealthCare and Sharp Community Medical Group, recently confirmed a ransomware incident affecting its network. Sharp was among the customers impacted by the breach, which exposed sensitive patient data managed by Episource on their behalf.
Impact: Unauthorized individuals gained access to highly sensitive Protected Health Information (PHI), diagnosis information, treatment information, prescriptions, test results, medical images, medical record numbers, and doctors’ names.
Scale: Over 5 million patients were affected.
Illinois Department of Healthcare & Family Services
What Happened: Unauthorized access breached sensitive patient records due to inadequate internal controls and weak access governance.
Impact: Customer names, social security numbers, driver's license or state identification card numbers, financial information related to child support, child support or Medicaid identification and case numbers, and date of birth.
Scale: 933 individuals.
Gateway Community Services
What Happened: Unauthorized network access crippled behavioral health and addiction treatment service provider Gateway Community Service.
Impact: Names, SSNs, addresses. DOB, driver’s license numbers, medical or treatment information, health insurance information
Scale: Approximately 34,500 individuals.
Menstrual Tracking Apps
What Happened: Recent investigations found menstrual and fertility tracking apps exposed sensitive personal and medical data to third parties, raising severe privacy concerns.
Impact: Extremely sensitive data, including menstrual cycles, fertility information, and other intimate health details were shared without adequate consent or protection, posing serious privacy risks and potential misuse of personal health data.
Scale: Global users are affected.
Immediate, Actionable Lessons from These Breaches
✅ Vendor Risk is Your Risk
Remember that third-party vendors significantly expand your risk exposure.
Action: Audit vendor security practices and BAAs at defined frequencies, but don't stop here. Conduct thorough third-party risk assessments and periodically perform check-ins to ensure they are meeting your requirements.
✅ Unauthorized Access Must Be Managed Aggressively
Access controls and monitoring are important. Hackers maintain access to networks for long periods of time because monitoring is not in place and access controls are weak.
Action: Ensure you use MFA, encryption, etc. Monitor access logs and your infrastructure 24/7. Apply the separation of duties strategy to production code pushes and other critical services.
✅ Prepare Now for Ransomware
Ransomware attacks show how quickly patient care can be disrupted.
Action: Back up critical data, spin up mirrored critical services in separate geographic locations, perform incident response simulations, and train your workforce.
✅ Compliance Isn’t Security
Compliance is the beginning, cybersecurity is the end.
Action: Create a security steering committee and embed security into leadership conversations. Look for improvements year over year, and trust me their is always room for it.
✅ Protect Privacy at Every Step
Privacy reinforces the importance of protecting sensitive data and ensuring transparent consent mechanisms.
Action: Perform regular privacy impact assessments, monitor app permissions and third-party data sharing practices, and clearly communicate privacy standards to your users.
How the HIPAA Exposure Guide Can Help
These recent breaches are exactly why I built the HIPAA Exposure Guide.
It’s a straightforward, executive-level self-audit tool tailored specifically for health tech companies scaling fast.
Quickly assess critical security gaps, vendor oversight issues, and tracking technology to ensure your security scales effectively with your business.
👉 Download your free HIPAA Exposure Guide
Don’t Become Tomorrow’s Headline
Cybersecurity breaches are critical warnings and timely wake-up calls.
Your next step is preparation.
Strengthen your security strategy today using the actions above.
Prevent becoming tomorrow’s news.
Let’s Open This Up!
Let’s make this a leadership conversation.
Do you think healthcare has too many breaches to care anymore?
