Health Data Breaches Are A “New Kind of Medical Harm"

Uploaded on 2025-08-11 in FREE TO VIEW, BUSINESS-Services-Health & Welfare

As cyberattacks on healthcare systems grow in scale and severity, they can’t be seen as a simple IT matter. With breaches involving sensitive patient data carrying consequences that are deeply personal and often irreversible, Ty Greenhalgh, Healthcare Industry Principal at Claroty, argues it’s time they were recognised as clinical harm.

We discuss the impact of these attacks, and how healthcare organisations can defend against them.

Q1: Why should cyberattacks on patient data be considered a form of clinical harm?

In healthcare, we’ve always understood clinical harm to mean a physical or psychological injury caused by medical intervention, or lack of it. That’s traditionally meant something like a surgical error or a medication mistake.

But with cybercriminals continuously threatening healthcare providers and their patients, we have to expand that definition. When sensitive patient data is stolen and leaked, it can cause long-lasting emotional trauma, loss of trust, and in some cases, even suicide.

Take the breach of the Vastaamo mental health clinic in Finland, where a callous hacker threatened to release patients’ therapy notes unless ransoms were paid. Some victims were so traumatised, they ended their lives.
That’s not just an IT problem or theoretical harm; it’s a clinical outcome with real and irreversible damage.

We need to recognise that these aren’t just data breaches, but clinical events. If a patient dies because of a delayed surgery caused by ransomware, or suffers psychological harm from a privacy violation, then cybersecurity has failed in the same way as any other part of the clinical process.

Q2: What makes health data so uniquely vulnerable – and dangerous when exposed?

We unfortunately live in a world where data breaches are a constant possibility - just recently, I was called by an especially brazen scammer impersonating my bank. But while all breaches are harmful, healthcare is on another level.

Health data isn’t like financial or retail data, it’s deeply personal, permanent, and often emotionally charged. You can cancel a credit card and hopefully untangle and be reimbursed for fraudulent payments, but you can’t undo sensitive or embarrassing information that’s now public.

These records capture people at their most vulnerable: mental health diagnoses, addiction histories, sexual health, reproductive choices, and more. Once exposed, that information can’t be undone. There’s no way to “reset” your trauma or redact your truth.

Continued digitalisation also means cyber attackers have more opportunities than ever to get their hands on this data. Projects like the private healthcare tracking system recently proposed in the US are making data more available - and vulnerable.

What makes this even more dangerous is that the most cold-hearted cyber attackers are specifically setting out to inflict trauma with this data.

They’re not just encrypting it and demanding payment - they’re purposefully exposing it. Leaking therapy notes or HIV statuses isn’t just about money anymore; it’s about humiliation, coercion, and control. We’ve seen this recently with the allegations around healthcare breaches relating to Hilary Clinton. When it comes to disinformation, whether or not the claims are true, the damage is done, especially when a person’s reputation or safety is on the line.

This kind of harm is unique to healthcare, and that’s why health data protection has to be treated with the same urgency as infection control or surgical hygiene. It’s a matter of human safety.

Q3: What are the top attack vectors facing healthcare systems today, and why are they so hard to defend against?

The kinds of attacks we see hitting healthcare aren’t too different from most other sectors – the difference is the uniquely complex and vulnerable nature of healthcare itself.

Phishing is still the most common entry point, with attackers typically tricking staff or vendors into giving up credentials or clicking malicious links. It only takes one mistake for threat actors to gain a foothold.

Next are internet-facing devices with known vulnerabilities – those systems that may be unpatched or poorly configured. These present an easy attack path into the network.

Finally, third-party access is a major blind spot, and one that healthcare is especially vulnerable to. Hospitals rely on an ecosystem of vendors, suppliers, and outsourced support teams, all with varying levels of security. If you don’t monitor those connections closely, attackers can use them to waltz right in.

What makes defending against these threats especially difficult is the nature of healthcare itself. You can’t just install antivirus software on the average ventilator or MRI machine because these devices run on proprietary protocols and can’t be taken offline for regular patching.

As we’ve seen over and over again, ransomware is especially dangerous because frontline healthcare is so dependent on uptime for patient care. If ransomware hits, hospitals may have no choice but to shut down some systems to stop the spread, but that also shuts down care.

Unlike most other sectors, cybersecurity in this context isn’t about SLAs or financial bottom lines, it’s about making sure patients can be treated safely and without interruption.

Q4: How can healthcare shift cyber into being a patient safety issue?

I think the awareness is certainly there, we just need to work on making it more systematic to improve patient security. There are three main priorities I’d recommend.

First, governance. Cybersecurity must be tied to leadership, with governance at the executive level. There needs to be clear accountability and feedback loops that connect cyber risk to real-world harm, providing visibility into how it directly impacts patient outcomes.

Second, visibility. You can’t protect what you don’t know about, and many hospitals still lack a complete inventory of their assets. Healthcare environments typically have a mix of older legacy systems running on operational technology and new connected medical devices, and both of these can be hard to manage and secure with standard IT tools.

And third, manage third-party risk. Most healthcare providers are heavily reliant on a web of third-party providers, and these can often be a weak link specifically targeted by threat actors. Vendors and partners need to be held to the same security standards as internal teams, because they’re often the weakest link.

The right support from governmental bodies and regulators can make all the difference here too. We don’t need blanket penalties or a one-size-fits-all approach.

What we need is thoughtful guidance in the form of a maturity model, like NIST CSF, that allows each organisation to progress at its own pace. We don’t need a stick, we need a journey, with carrots. Ultimately, cybersecurity isn’t just about protecting data. It’s about protecting people.

Ty Greenhalgh is the Industry Principal at Claroty

Image: Unsplash

You Might Also Read:

Healthcare Under (Cyber) Attack: What You Need to Know:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.