The association says understanding where data lives is necessary to reduce breach exposure across the healthcare system.
The American Hospital Association released the first part of its 2025 healthcare cybersecurity review, reporting that 33 million Americans had their health records compromised in 364 hacking incidents during the year ending October 3, 2025. The report notes that while the figures remain high, they are lower than the previous year, when breaches affected 259 million individuals, largely driven by the Change Healthcare ransomware incident. The AHA said the data shows a persistent pattern of large-scale breaches tied to hacking activity rather than accidental disclosure.
The AHA analysis found that most stolen health information did not originate from hospitals themselves. Instead, the majority came from business associates, non-hospital providers, and health plans, including government programs. Only a small share of hacking incidents involved electronic health record systems directly. The report also indicated that all compromised records were unencrypted, showing that unprotected data remains vulnerable even when perimeter controls are in place. Because protected health information is spread across applications, vendors, cloud platforms, and network-connected medical devices, the AHA said providers must maintain a current inventory of assets, data locations, and third-party relationships to understand their true exposure.
The AHA said organizations cannot protect data effectively without knowing where it resides and how it is accessed. It stressed the need for a continuous process to map data flows, systems, applications, and devices, including medical devices connected to networks. The association also pointed to third-party risk as a major concern, noting that vendors should provide software bills of materials so providers can identify vulnerable components embedded in applications or devices. The AHA recommended using established frameworks to guide internal risk management efforts and said even baseline controls can reduce a big portion of cyber risk.
In the second part of its 2025 cybersecurity review, the American Hospital Association turns its attention to what happens after an attack begins. The report shows that many of the most disruptive incidents don’t start inside hospitals at all, but at third-party vendors and business associates. When those providers are hit, hospitals feel the impact immediately, from lost access to main systems to interruptions in patient care. The AHA describes this ripple effect as a “ransomware blast radius,” where a single breach can spread disruption across an entire network of healthcare organizations.
The review also challenges how hospitals think about downtime. Too often, the AHA says, cyber resilience is treated as a business or IT issue, rather than a clinical one. Part Two urges providers to plan for situations where systems, imaging platforms, or outside services are unavailable for weeks at a time, and to involve clinical teams directly in those plans. The report also notes that healthcare organizations are using AI to improve detection and defense, attackers are using it to move faster, craft more believable phishing messages, and exploit weaknesses before they can be fixed.
Without a clear view of where data is stored and transmitted, organizations cannot apply controls consistently or assess the impact of a breach.
Providers often share data with many external partners, and security practices vary across vendors, which can increase risk outside hospital systems.
Encryption can prevent incidents from becoming reportable breaches when data is accessed without authorization, as unreadable data cannot be misused.
They allow organizations to see which components are used in applications and devices so vulnerabilities can be identified and addressed more quickly.
Many breaches begin with phishing or misuse of access, and informed staff are better positioned to recognize and avoid these threats.