The cyber siege of private practices: Are you at risk?

For the modern physician-owner, the "practice of medicine" has long since expanded to include the high-stakes management of digital data. However, the latest industry intelligence suggests that even the most diligent practitioners are fighting an uphill battle. The Identity Theft Resource Center released its 2025 Annual Data Breach Report, and the findings serve as a stark wake-up call for the health care sector. We have entered what the ITRC calls a "State of More": an era defined by more attacks that are more precise, more automated, and significantly more difficult to detect.

In 2025, the U.S. reached a record-breaking 3,322 data compromises, a massive 79% jump over the past five years. While mega-breaches often involve tech giants, the reality for private practice owners is more surgical. Attackers have shifted away from the broad "spray and pray" tactics of the past toward frequent, targeted attacks on high-value data repositories—and few repositories are more valuable than a physician’s patient records.

Health care in the crosshairs

Health care remains one of the most targeted industries in the country. In 2025 alone, the ITRC tracked 534 health care-specific compromises. This high volume of attacks is no accident.

“Health care organizations are targeted because they have a wealth of information about people of all ages and have historically had fewer cybersecurity and data protections, largely due to the vast number of entities in the healthcare supply chain,” says James E. Lee, president of the ITRC, explaining the unique vulnerability of the sector. “The health care supply chain ranges from small medical practices, local billing processors, and labs all the way to large publicly traded companies. That kind of fragmentation means not every organization will have the resources to combat the volume and velocity of attacks aimed at health care”.

Furthermore, the professional services sector—which includes the lawyers, accountants, and billing consultants that private practices rely on—saw the most aggressive growth in attacks over the last five years, jumping 162%. These firms are increasingly used as stepping stones for hackers to access the data of their multiple clinical clients.

The transparency crisis and your liability

One of the most troubling findings in the ITRC report is the collapse of transparency in breach notifications. In 2020, nearly every organization that suffered a breach provided clear details on how it happened. By the end of 2025, that figure had plummeted to just 30%. When organizations withhold the root cause of an attack to mitigate their own legal risk, they leave other businesses—like your practice—operating in the dark.

This lack of transparency is particularly dangerous because, as a physician-owner, you are legally responsible for the data you entrust to others. Peter Reilly, North American Healthcare Practice Leader at HUB International, dismisses the common misconception that outsourcing data storage mitigates liability:

“The vendor risk piece is often ignored or misunderstood,” Reilly says. “Some physicians believe that if records are in the cloud, they’re no longer responsible. That is simply wrong.”

Reilly warns that physicians must understand the regulations in their jurisdiction regarding record ownership, noting that "assuming having a vendor relieves you of duty can lead to a rude awakening after a breach.” He recommends that practices utilize privacy counsel to review vendor contracts to include language protecting the practice if the vendor is responsible for a breach.

The AI revolution: A new class of threat

The 2025 report also highlights the role of artificial intelligence in weaponizing stolen data. Erik Littlejohn, CEO of Cloudwave, noted in a blogpost that cybercriminals are now operationalizing AI to automate reconnaissance and bypass traditional signature-based identity controls. These AI-powered attacks can adapt dynamically to avoid detection, making them far more effective than the static defenses of the past.

This has led to a rise in "previously compromised data.” Hackers are using AI to repackage and recirculate old stolen records to launch new account takeover attacks. For a private practice, this means an attacker could use data stolen from a completely unrelated breach years ago to impersonate a patient or a vendor today, gaining access to your internal systems. Littlejohn warns that in 2026, the speed of AI-enhanced attacks will outpace human-led detection capabilities, requiring a shift toward autonomous, AI-powered security solutions.

The front door: Email security priorities for 2026

In the modern clinical environment, email is the "front door" of your practice and the easiest entry point for attackers. Phishing and impersonation remain effective because they use familiar details—patient names, insurance carriers, or pharmacy communications—to trick staff. Dawn Halpin, writing for Medical Economics, argues that while many practices rely on staff judgment to spot these messages, today’s phishing kits are designed to bypass human instinct.

To protect your practice in 2026, Halpin outlines five essential email security priorities:

1. True Encryption for All PHI: Halpin notes that many practices mistakenly assume their email provider encrypts everything by default. Ensure your system uses modern Transport Layer Security standards. Remember that Protected Health Information is not just lab results; it includes routine scheduling, billing questions, or any message linking a patient’s name to their provider.
2. Fixing Misconfigurations: Most health care breaches are caused by simple errors, such as outdated Multi-Factor Authentication settings or old vendor integrations that remain connected. Notably, Halpin points out that 16% of health care email breaches involve third-party business associates or service providers.
3. Automating Defenses: Don't rely solely on employees to spot phishing. Halpin recommends using systems that automatically evaluate inbound messages, detect forged senders, and remove dangerous attachments before they ever reach an inbox.
4. Counteracting AI-Powered Targeting: Since AI can now imitate patient language and staff writing styles, practices should strengthen authentication and limit how many systems rely solely on passwords.
5. Prioritizing Resilience Over Tools: Adding more software doesn't automatically create security; resilience does. Halpin emphasizes that a resilient posture focuses on fast detection, containing issues before they spread, and having clear processes to restore normal operations.

Strategic steps for the physician-owner

The battle against cybercrime is evolving, and it is not a fight any practice can win alone. Lee of the ITRC provides two critical recommendations for practitioners looking to safeguard their patient data:

“There are two very important actions a practitioner can take right now: 1) Ensure every staff member receives routine training on what good security practices look like and information on the latest scams where criminals try to get an employee to give up patient or practice business information. And 2) invest in a cybersecurity vendor that can help practitioners ensure they are protected from a technology perspective and who can advise them on the right data processes and policies to keep their patient, employee, and practice data safe”.

Beyond training and external expertise, practice owners should consider implementing a Zero Trust security model. This approach assumes that threats could exist both outside and inside your network, requiring constant verification of every user and device attempting to access data. Additionally, owners should look into Managed Detection and Response services and 24/7 Security Operations Center oversight to provide continuous monitoring that small internal IT teams often cannot manage.

Finally, do not overlook the value of Cyber Liability Insurance. Reilly notes that these policies have improved dramatically and often come with robust tools intended to prevent losses before they occur. "Carriers don’t want to pay claims either," Reilly says, "and they provide robust resources to prevent losses.”

From risk to informed resilience

The findings of the 2025 ITRC Data Breach Report are a wake-up call, not a cause for alarm. While the scale of the challenge is immense, practitioners are not powerless. The shift from "simple identity theft" to "pervasive identity fraud" means that "vague contractual assurances" of security from vendors are now a significant liability.

By moving from a reactive posture to one of informed resilience, you can protect your patient's identities, your practice's finances, and the sacred trust that sits at the heart of the physician-patient relationship. The "state of more" requires more from practice owners, but with the right combination of staff training, expert partnerships, and automated defenses, your practice can remain a safe haven for patient care in an increasingly digital world.