Paubox Weekly Fully Automated - A HIPAA compliant email security Podcast

FBI names healthcare the most targeted sector for ransomware

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 4:33
In this episode, we break down the FBI's latest Internet Crime Report naming healthcare as the top ransomware target, OCR's four new HIPAA settlements totaling over $1 million, and the Medtronic data extortion incident affecting millions of records. We also examine findings from Paubox's Healthcare Email Security Maturity Index, which reveals critical gaps in AI-based defenses despite rising AI-driven attacks, and discuss what these trends mean for your organization's security posture.
SPEAKER_00

You're listening to Pow Box Weekly, fully automated.

SPEAKER_01

And I'm Jen. I read breach reports, so you don't have to. Well, actually, you still have to. Sorry.

SPEAKER_00

I'm Alex, healthcare IT guy who keeps hoping one week the news will be boring. This is not that week. Is it ever? Fair point. So let's start with the FBI's annual internet crime report. Healthcare is officially the most targeted sector for ransomware in 2025. Number one. We're number one.

SPEAKER_01

Not the trophy anyone wanted. But not surprising either. The logic is simple: attackers go where the pain is highest. Hospitals can't just pause. Every hour of downtime is patient care on the line. That pressure makes people pay. And it wasn't just ransomware.

SPEAKER_00

Business email compromise was actually the most damaging attack type overall. Which tracks.

SPEAKER_01

BEC doesn't need malware, it needs one person to trust the wrong email. And in healthcare, where coordination happens constantly over email, it's a rich target.

SPEAKER_00

So the takeaway here: ransomware gets the headlines, but email compromise is quietly draining accounts. Both deserve your attention. Neither is going away. Speaking of ransomware, OCR just announced four HIPAA settlements, all tied to ransomware incidents. Over 427,000 individuals affected.

SPEAKER_01

And the settlements totaled $1.165 million, which, honestly, for four organizations, that's not catastrophic. But it's the principle.

SPEAKER_00

OCR Director Paula Stannard made the point clearly. Implementing the security rule before a breach isn't just the law. It's your best shot at preventing or surviving an attack. Right.

SPEAKER_01

These weren't fines for getting hit. They were fines for not being ready.

SPEAKER_00

Risk analysis, access controls, the basics. The unsexy stuff that saves you. Meanwhile, Medtronic confirmed a cyber attack this week. Shiny Hunters, the group behind it, claims they stole over 9 million records. And they're doing the classic extortion play. Pay up or we publish. This is the shift we keep seeing. It's not just encrypt and ransom anymore, it's steal and threaten. Which changes the calculus.

SPEAKER_01

Even if you have backups, even if you can recover, your data is still out there. That's the leverage now.

SPEAKER_00

So what's the defense?

SPEAKER_01

Layers. Encryption. Segmentation. Monitoring for exfiltration, not just malware. And honestly, assume breach. Plan for what happens when, not if, someone gets in.

SPEAKER_00

Let's talk about Powbox's new report, the Healthcare Email Security Maturity Index.

SPEAKER_01

This one's a gut check. They surveyed 170 healthcare IT leaders across eight dimensions of email security. And the numbers are sobering. 58% of organizations were breached through email in the last two years. 64% have been hit by an AI-generated email attack.

SPEAKER_00

But only 38% have AI-based defenses fully deployed and monitored.

SPEAKER_01

So the attackers are using AI, and most defenders aren't keeping up.

SPEAKER_00

The report maps organizations into maturity tiers. It's a good benchmark if you want to see where you stand. Links in the newsletter. And finally, Absolute Dental, a Nevada-based practice, just agreed to a $3.3 million class action settlement after a breach earlier this year.

SPEAKER_01

Million-dollar lawsuits are becoming routine. That's not an exaggeration. We've seen it over and over.

SPEAKER_00

And it's not just the fine. It's legal fees, its reputation, its years of fallout.

SPEAKER_01

The breach itself is just day one. The cost curve keeps climbing long after.

SPEAKER_00

So let's bring it together. FBI says healthcare is the top target. OCR is settling ransomware cases left and right. Most organizations aren't ready for AI-driven attacks, and lawsuits are stacking up.

SPEAKER_01

And the through line isn't bad luck. It's bad configurations, blind spots, gaps that were fixable before they became expensive.

SPEAKER_00

Risk assessments that didn't happen. Defenses that weren't deployed.

SPEAKER_01

The good news? Most of this is preventable. Not all of it, but most.

SPEAKER_00

That's the work.

SPEAKER_01

That's always the work. Thanks for listening, everyone. Stay safe out there. And check your email security settings. Seriously.