data security report

Cyberattacks target healthcare more than any other industry in the United States, a trend that has persisted for over a decade. The reasons are likely related to the high value of private medical data and the increased likelihood that a healthcare organization will pay a ransom to remain operational.

According to the recently published BakerHostetler 2026 Data Security Incident Response (DSIR) Report, this trend shows no signs of slowing down. The report, published March 26, 2026, examined over 1,250 incidents from 2025, revealing a landscape that is both familiar and alarmingly advanced.

Highlights in the Report include:

  • Ransomware demands (and payments) are increasing.
  • Lawsuits are increasing.
  • Phishing remains the leading cause, followed by unpatched vulnerabilities.
  • Faster notification happens when forensic investigations are completed faster. 
  • Third-party vendors caused 25% of the incidents analyzed.
  • AI is more often a factor, and it’s increasing “the speed and scale of cyberattacks.” 
  • Healthcare remains the most vulnerable 

For HIPAA compliance managers, lawyers, and healthcare practice owners, the message is clear: data security risks remain a key concern, but strategies and costs are changing. To protect patient data and the organization’s sustainability, healthcare leaders must go beyond the basics to address the structural vulnerabilities of today’s digital landscape.

Healthcare: The Primary Target

In 2025, healthcare (including biotech and pharma) accounted for 27% of all cyber incidents—significantly higher than finance (18%) and business services (15%). The motivation for threat actors is purely economic. The report notes that healthcare ransom payments averaged $1,154,245, which is 69% higher than the cross-industry average.

While the number of breaches affecting 500 or more people decreased slightly for the second consecutive year, the impact of those that did occur was tremendous. Ransom demands soared to $98 million in some cases, emphasizing a shift toward aggressive, high-value extortion.

The Vendor Achilles’ Heel: Business Associate Exposure

One of the key insights from the 2026 report is the importance of third parties. 35% of all healthcare incidents were caused by vendors (Business Associates). In an era of connected EHRs, cloud-based billing, and remote patient monitoring, a single vulnerability at a service provider can jeopardize dozens—if not hundreds—of covered entities at once.

The report points to significant breaches at vendors such as Conduent, Episource, and Oracle Health (Cerner) as proof that the supply chain is the industry’s biggest weakness. For a healthcare practice owner, this means your security depends on the weakest link in your network.

The Lesson:

Passive vendor management is no longer enough. Healthcare organizations must adopt active monitoring. This includes:

  • Inventory Accuracy: Maintaining a comprehensive, living list of all third parties with network access.
  • Contractual Rigor: Ensuring Business Associate Agreements (BAAs) include specific incident notification timelines and indemnification clauses.
  • Access Control: Implementing “minimal access” policies, ensuring vendors only see the data necessary for their specific function.

AI Brings New Threats and Faster Attacks

2025 marked the year when AI transitioned from a theoretical concern to a practical weapon. The BakerHostetler report highlights a “tipping point” where AI is no longer just improving phishing emails but also driving advanced social engineering and autonomous coordination.

The Rise of “Vibe Hacking” and Agentic AI

Threat actors are now using AI to carry out “vibe hacking”—creating deepfake audio and video so convincing that they can fool even skilled IT professionals into granting access. The report also warns about “agentic AIs”—autonomous programs that work together to find and exploit network vulnerabilities faster than human teams can respond.

This technological advance is reflected in the “dwell time”—the number of days an attacker stays in a network before being detected. In 2023, the average dwell time was 36 days; by 2025, it decreased to just 22 days. Attackers are operating faster and more efficiently, leaving defenders less time to respond.

The Lesson:

If attackers use AI to find vulnerabilities, healthcare organizations should also use AI to fix them. Investing in AI-based threat detection that identifies unusual activity in real-time is crucial.

HIPAA Enforcement Trends: The Rise of State Attorneys General

Although the HHS Office for Civil Rights (OCR) remains the main federal enforcer of HIPAA, a significant change in the regulatory landscape is happening. The 2026 report indicates that while OCR might focus more on offering technical assistance, State Attorneys General (AGs) are actively filling the enforcement gap.

Under the HITECH Act, state AGs have the authority to file civil lawsuits for HIPAA violations on behalf of their residents. We are observing a “dual enforcement” environment where a single breach prompts both federal and state investigations.

Notable 2025/2026 State Actions:

  • Massachusetts & Connecticut: Fined Comstar LLC $515,000 for a breach affecting over half a million residents.
  • New York: Continues to lead with active enforcement, including a $500,000 fine against Orthopedics NY following a massive data breach.
  • California: Uses its own healthcare privacy statute, the Confidentiality of Medical Information Act (CMIA), and new AI-specific regulations to scrutinize how healthcare data is handled. Signed by Governor Newsom in September, 2025, the Transparency in Frontier Artificial Intelligence Act (TFAIA) joins the list of new state AI laws.
  • Iowa: After the BakerHotstetler report was released, the Iowa Attorney General sued Change Healthcare, UnitedHealth Group, and Optum over the 2024 ransomware attack that affected 192.7 million Americans, including 2.2 million Iowans.

Furthermore, litigation risk is rising rapidly. Class action lawsuits were filed in 14% of all incidents in 2025, up from 9% the previous year. For large organizations, a lawsuit is now almost guaranteed if even a few individuals are notified.

The Lesson:

Compliance now involves more than just federal standards. Organizations must also monitor state privacy laws and AI transparency regulations, such as those in Colorado, Texas, California, and Illinois. These are three examples, but many more have been enacted, with additional laws forthcoming.

How Healthcare Organizations Can Prepare and Protect

The BakerHostetler report highlights that although threats change, the basics remain important. Phishing remains the primary cause of incidents, accounting for 30% of breaches. To build a strong organization, focus on the following pillars:

Enterprise-Wide Risk Analysis

A “check-box” risk assessment is risky. Regulators often penalize organizations for not performing a comprehensive risk analysis that includes all electronic protected health information (ePHI), such as data on mobile devices, cloud platforms, and legacy systems. This analysis must be an evolving document that guides your security investments.

Immutable Backups and Encryption

As threat actors shift toward “extortion-only” attacks—where they steal data without necessarily encrypting your systems—the goal is to maintain leverage. Having immutable backups ensures that even if your primary data is compromised, your operations can still continue. However, the report indicates that encrypting data at rest is the most effective way to defend against extortion; if the stolen data is unreadable, the thief has nothing to sell.

Identity-Based Security (MFA and EDR)

As attackers shift focus from malware to identity-based access, Multi-Factor Authentication (MFA) becomes the most effective barrier you can put in place. When paired with Endpoint Detection and Response (EDR) tools, it helps identify “identity theft” within your network.

The “Sanctions Policy” and Training

Technical controls rely entirely on the people using them. The report shows a growing trend of “shortcuts” leading to security breaches. Healthcare staff under pressure often bypass security protocols “to get the job done.” Organizations need to establish and document a clear sanctions policy for team members who violate security rules. Ongoing training and fostering a culture of accountability are the most effective defenses against social engineering.

Conclusion: The Margin of Error is Disappearing

The BakerHostetler 2026 DSIR Report clearly indicates that the healthcare sector remains a major target for global cybercrime. The rise in ransom demands, sophisticated AI threats, and assertive state-level actions leaves no margin for error.

For HIPAA compliance managers and IT professionals, 2026 demands more than just the basics. This involves conducting detailed risk assessments, thoroughly vetting each vendor, and training every staff member to serve as a human firewall.

Cybersecurity is no longer just an IT concern; it is also a clinical and financial priority. Successful organizations will see HIPAA compliance not as a burdensome obstacle, but as a proactive, organization-wide responsibility to protect their patients’ trust.

Key Takeaways:

  • Review Vendor Access: When was the last time we audited who has access to our network?
  • Test the Incident Response Plan: Have we run a tabletop exercise for an AI-driven “vibe hacking” scenario?
  • Monitor State Laws: Are we compliant with the specific privacy and AI transparency laws in the states where our patients reside?
  • Prioritize Fundamentals: Is MFA enabled on every entry point, without exception?
Free HIPAA Checklist
What best describes you?