|
December 5, 2025 | Monica E. Oss
Most data breaches in health and human services are not an accident. That was my takeaway reading the new analysis (see Health Care Data Breaches Surge To Record Levels In 2024). The analysis reported that with hacking constituted nearly 80% of breaches in 2023.
In 2023, the number of reported breaches was a record 725, affecting over 133 million records. But 2024 brought another increase with 276 million records breached. This record number was largely due to the Change Healthcare incident, which alone compromised 190 million individuals’ data.
The authors of the analysis conclude that these shifts underscore an immediate need for executive teams to adopt advanced cybersecurity measures, such as encryption and two-factor authentication. With the rise in hacking and data theft, strengthening digital defenses has moved from optional to a critical risk management priority.
We got a first hand look at the effects of a cyberattack on a provider organization during the session What CEOs Should Know About Privacy & Cybersecurity, which took place during The 2025 OPEN MINDS CEO Technology & AI Summit. Chief executive officer (CEO) Frannie Watts spoke about when she discovered her organization, South Central Medical & Resource Center (South Central), a rural federally qualified health center in Oklahoma, was the victim of cyberattack.
 South Central serves three counties covering about 1,800 square miles, with roughly 50 employees and annual revenue of about $6 million. The organization provides primary care, integrated behavioral health, and substance use disorder (SUD) services, with about 70% of primary care consumers receiving integrated behavioral health and/or SUD care—a dependence on consumer trust that is existential for the business.
In late 2024, Watts transitioned from chief operating officer to CEO, in the middle of a financial turnaround and a federal site visit. According to Ms. Watts, cybersecurity “wasn’t even on my radar.”
But when a newly hired fractional chief information officer (CIO) asked to see the organization’s cybersecurity insurance policy, Ms. Watts assumed the policy existed—only to learn from the broker there was “no policy, no history of a policy,” leaving thousands of sensitive behavioral health and SUD records completely exposed.
And, shortly thereafter, South Central was the victim of an attack that compromised a former employee’s email account and sent 7,000 sophisticated phishing emails in 30 seconds.
Fortunately, a forensic review found that no personal health information or personally identifiable information had been exposed. But the operational cost was real—thousands of notification emails, angry questions from partners, and many sleepless nights.
“It was pure luck,” Ms. Watts said bluntly, referring to the fact no personal information was exposed. “I am never going to rely on luck like that again, and I’m hoping that you don’t have to either.”
And to prepare for the future, the South Central leadership team applied a “treatment plan” mindset to the organization’s cyber health: assess, triage, plan, implement, monitor.
The first step was a thorough assessment of the situation. The assessment uncovered critical gaps: no multifactor authentication (MFA), significant password-sharing (including a printed “password booklet” used by multiple leaders), outdated or missing security policies, and no incident response plan.
Next, the South Central team triaged risks into four categories: immediate, 30-day, 90-day, and ongoing work. Within the first month, leaders bound a $2 million cyber liability policy with incident response support, implemented MFA, and created clear breach response procedures and roles. “Those things cost less than $50,000 annually, but they would have saved us millions in a real breach,” Ms. Watts noted.
Planning and implementation followed the triage phase. South Central built a technical foundation of AI-enabled email security that blocked 97% of phishing attempts in the first quarter after implementation, endpoint detection and response on all devices, and network segmentation to separate clinical from administrative systems. Budgeting followed the same disciplined approach, what Ms. Watts called “a realistic baseline” of about $40 per user per month for cybersecurity—treated not as a luxury, but as core infrastructure, just like a generator or an electronic health record.
Eventually, the organization moved beyond tools to culture: monthly interactive training and simulated phishing campaigns; department “security champions,” including front-desk staff; quarterly risk assessments; and more transparent communication with board and staff about incidents and lessons learned.
Today, success means the CEO and board can breathe a little easier. Staff feel protected enough to report incidents without fear. Consumers see visible evidence indicating their most sensitive information is safe.
For CEOs of community-based specialty and primary care organizations, Ms. Watts’ experience underscores the importance of elevating cybersecurity to the executive suite and instituting proper procedures run by the right people. She advised executives to start with an insurance audit and independent risk assessment in the first 30 days of any leadership transition and make cyber risk a standing board agenda item.
Ms. Watts now knows that in a breach, “the first call is to insurance, not the FBI.” She stressed the value of maintaining breach counsel, incident response partners, and a documented 2 a.m. call tree in place before anything happens.
And managing cybersecurity risks is not always convenient. That may mean saying no to shared email inboxes, tightening electronic medical access to truly confidential behavioral health notes, or putting controls around how staff use tools like ChatGPT. “Sometimes, the cost of being safe is convenience, but that’s how you lead from the top,” she said.
For executives, the strategic implication is clear: budgeting for a fractional CIO or managed security service provider, funding that $40-per-user baseline, and backing visible culture change is far less costly than the estimated $4 million exposure from a 10,000-record breach—and the 18 months of operational disruption and leadership burnout that typically follow.
As Ms. Watts noted, “You don’t need to know how firewalls work, but you should know that you have them, and you should know that you have a backup and recovery plan.”
For more about cybersecurity, check out these resources in the OPEN MINDS Industry Library:
For more on rural communities, mark your calendars on February 12, 2026, at The 2026 OPEN MINDS Performance Management Institute in Clearwater Beach, Florida, for the session, “You Are Not Alone: Management Issues Facing Rural & Frontier Communities,” with Mark Germann, senior vice president of substance use services, and Liz Hill, senior vice president of home and community based services, both at Easterseals PORT Health.
And for more on technology, join us also on February 12, 2026 at The 2026 OPEN MINDS Workforce AI Summit, for the session, Reclaiming Time For Care: AI Documentation That Expands Capacity, to hear thought leaders, executives, and innovators explore how AI can be harnessed to meet today’s workforce challenges and position your organization for success.
|
