In the fall of 2024, staff at a network of nursing and rehabilitation homes across Ohio and Pennsylvania went to work, unaware that a cybercriminal group had already been inside their systems for weeks. By the time HCF Management discovered the breach, the damage was done. Nearly 70,000 residents had their names, Social Security numbers, medical records, and health insurance information stolen. The ransomware gang RansomHub published 250GB of that data on the dark web, and HCF now faces at least two federal class action lawsuits as a result.
This was not a massive hospital network or a national insurance provider. It was a family of community care facilities, the kind of organization that exists in towns across North America.
Why Nursing Homes? Why Now?
Cybercriminals are strategic. They follow the path of least resistance toward the highest payoff. Nursing homes tick every box on that list.
First, the data. A resident’s file in a long-term care facility contains a complete picture of a person’s life: Social Security numbers, insurance details, medical history, and financial information. On the dark web, that kind of comprehensive profile is worth far more than a stolen credit card number.
Second, the pressure to stay up and running. Unlike a retail business that can go offline for a day, a nursing home cannot. When systems go down, patient safety is immediately at risk. Cybercriminals know this, which is exactly why they use it as leverage.
Third, and most critically: the security gap. Many long-term care facilities operate with limited IT resources, aging infrastructure, and staff who simply haven’t had the time or training to spot a phishing email.
The Numbers Tell a Sobering Story
Healthcare has been the most expensive industry for data breach recovery for 14 consecutive years. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a healthcare data breach sits at $9.77 million, more than double the global average across all industries. For a smaller care facility, even a fraction of that figure can be catastrophic.
HCF is not an outlier. According to the FBI’s 2024 Internet Crime Report, the healthcare sector reported the highest combined total of ransomware and data theft attacks among critical infrastructure sectors in the United States. Long-term care facilities, precisely because they are smaller and less fortified than hospital systems, are increasingly where attackers are looking.
How Attackers are Getting In
The entry points are often surprisingly simple. Phishing emails that appear to be payroll notifications or software updates are opened by well-meaning staff. Outdated software on nursing stations has known vulnerabilities that haven’t been patched. Remote access tools set up during the pandemic are still running with weak passwords and no multi-factor authentication.
Third-party vendors like billing platforms, pharmacy systems, and electronic health record providers are also a growing entry point. According to Verizon’s 2024 Data Breach Investigations Report, breaches involving a business associate or vendor doubled in a single year. In the HCF breach, attackers were inside the system for more than two weeks before anyone noticed.
What Good Protection Looks Like
If you’re running a long-term care facility, you may feel like the deck is stacked against you when it comes to cybersecurity. The reality is that most attacks succeed because of gaps that are within your control to close.
For nursing homes and long-term care facilities, that means prioritizing regular staff security awareness training, keeping software and systems patched and up to date, enforcing multi-factor authentication on all remote access, and having a tested incident response plan in place before something goes wrong. It also means taking a close look at vendor and third-party access to your systems.
Cybersecurity is an ongoing commitment, and one that directly protects the people in your care.
Ready to assess your facility’s cyber risk?
At Obviam, we work with long-term care organizations to build practical, affordable cybersecurity programs that fit your environment and your team. Contact our team to start the conversation.
