What do hackers, patient scams, and IT help desks with too much trust have in common? They’re all making healthcare cybersecurity a lot messier—and a lot more vomit-worthy. In this episode, we dive into how bad actors are not only stealing data but turning patients into direct targets. From sneaky social engineering tactics to “I can’t believe they answered that call” level IT fails, we explore why locking down your network is only half the battle.
In this episode:
Shore Up or Throw Up – Healthcare’s Latest Cyber Warnings – Ep 521
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Shore Up or Throw Up – Healthcare’s Latest Cyber Warnings
[01:10]HIPAA Settlement – OCR and Syracuse ASC Resolution Agreement
$250,000 Settlement with a 2 yr Corrective Action Plan
On October 14, 2021, OCR received a breach notification report from Syracuse reporting that from March 14, 2021, through March 31, 2021, a threat actor gained access to its network and the electronic protected health information (ePHI) of its patients. Syracuse reported that the breach affected 24,891 individuals who were current and former patients of its practice and included patient names, dates of birth, Social Security numbers, financial information, and clinical treatment information.
HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
A. Syracuse failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to ePHI held by Syracuse. See 45 C.F.R. §164.308(a)(1)(ii)(A).
B. Syracuse failed to provide notification to the individuals affected by the breach in a timely manner. See 45 C.F.R. § 164.404(b).
C. Syracuse failed to provide notification to the Secretary in a timely manner. See 45 C.F.R. §164.408(b).
======
Nothing screams not paying attention like failing to notify even HHS in a timely manner.
The simple stuff shouldn’t be where the failure comes from in your program.
Shore up defenses against Interlock malware now, say FBI and HHS | Healthcare IT News
In May 2025, the Interlock ransomware group orchestrated a massive cyberattack on Kettering Health in Ohio, crippling its IT systems, halting patient services and elective procedures across 120+ facilities. The group claimed theft of nearly 941 GB of sensitive data. In the aftermath, patients were targeted by scam calls, prompting the health system to suspend payment-related calls and notify the community of the potential data breach. In response to rising Interlock activity, federal agencies— including the FBI, HHS, and CISA—issued a joint July 2025 advisory, warning organizations across sectors of Interlock’s unconventional entry tactics, aggressive double‑extortion strategy, and providing clear defensive measures to help mitigate this escalating threat.
Going after patients is the part we all fear the most.
[26:07]For IT folks out there here is your vomit part:
Clorox is suing its IT help-desk provider, Cognizant, for $380 million, claiming that basic security failures enabled a massive ransomware attack in August 2023. According to the lawsuit, hackers—believed to be the Scattered Spider group—simply called the help desk, impersonated employees, and were handed passwords and had MFA reset with no real verification. This social engineering trick let them breach Clorox’s systems, causing major operational shutdowns and financial losses.
Clorox says Cognizant didn’t follow even basic identity checks, and then mishandled the response, compounding the damage. Cognizant denies fault, saying they only managed help-desk services—not cybersecurity overall.
This attack didn’t require malware or zero-day exploits—just a phone call and human error. That’s what makes it terrifying:
It exposes how outsourced or under-trained support staff can become the weakest link in an organization’s defense, and how attackers are increasingly relying on low-tech social engineering over high-tech hacking to pull off major breaches.
Whether it’s OCR knocking with an expensive reminder to follow the rules, or cybercriminals sliding into your network with ransomware and a mailing list, the message is loud and clear: healthcare orgs can’t afford to wing it anymore. Between missed notifications, fake billing calls, and help desks doing more harm than help, it’s time to stop hoping for the best and start preparing for the worst. Because when it comes to security, you’re either shored up—or throwing up.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
