Breach Notices Expose the Real Cybersecurity Gap

Two recent breach disclosures from Revere Health and Health Management Systems of America underline an uncomfortable reality in healthcare cybersecurity. The industry is not losing data because attackers are uniquely inventive. The industry is losing time, clarity, and control because too many organizations still cannot answer basic operational questions fast enough, which systems touched protected health information, which vendors sat in the path, and which controls were actually enforced.

The stories differ in scope and timing, but they converge on the same structural weakness. Healthcare remains overexposed at the seams, where payments, email, and third-party services connect to clinical operations. Those seams are now the front door.

Two breaches, two familiar entry points

The Revere Health incident stems from unauthorized access to a third-party service used to process patient and payer payments, with the organization disclosing that affected information could include names, dates of birth, addresses, medical account or record numbers, billing or insurance information, partial Social Security numbers, and in some cases financial account information, while also stating there is no evidence data was downloaded or misused but viewing cannot be ruled out, and offering credit monitoring through LifeLock. The details are laid out in Revere Health’s public notice about the payment platform breach.

On the federal side, the same event appears inside the HHS Office for Civil Rights breach portal as a report for “Revere Health, PC” affecting 10,800 individuals, submitted October 2, 2025, categorized as a hacking or IT incident with the location of breached information listed as a network server. That classification may be accurate, incomplete, or simply a function of reporting taxonomy, but it illustrates an important point. External stakeholders often have to reconcile multiple descriptions of the same incident, and those gaps can become reputational risk when trust is already strained.

The Health Management Systems of America disclosure, reported by HIPAA Journal, involves a spear phishing-driven compromise of an employee email account, with the organization retaining digital forensics support and still reviewing what information was involved. The substitute notice reportedly does not yet specify the data types, and the number of affected individuals is unclear. In parallel, the organization’s own materials describe a national behavioral health management footprint, including managed behavioral health services and corporate operations based in Detroit.

In isolation, neither scenario is novel. Taken together, they show that healthcare’s most persistent failures are not exotic zero-days. They are predictable failures of vendor governance and identity security.

Third parties now define the attack surface

Payment ecosystems have become a dense mesh of processors, portals, and integrations. When an organization relies on a third-party service to process payments, the threat surface expands beyond clinical systems into financial workflows that still touch protected health information. Revere Health’s notice indicates that payment processing infrastructure held enough patient-linked data to trigger credit monitoring and identity theft protection offers, which should end any lingering belief that “billing systems” sit safely outside clinical risk.

The policy framework already anticipates this. The HHS Breach Notification Rule makes clear that covered entities and business associates have defined obligations when unsecured protected health information is breached, and that breach determinations hinge on risk assessment factors that include whether information was actually acquired or viewed. That matters in incidents like Revere Health’s, where download was not confirmed but viewing could not be ruled out.

What is missing in many organizations is operational readiness to manage vendors like internal systems. That means contract structures that require timely incident notice, technical architectures that reduce the data available to any one workflow, and testing regimes that validate controls rather than assuming them.

Email compromise is a clinical risk, not an IT nuisance

The Health Management Systems of America incident highlights another recurring failure. Spear phishing remains one of the highest yield paths into healthcare because credential compromise is still too easy and too durable. Once an email account is compromised, exposure is rarely limited to a single mailbox. Emails are full of attachments, forwarded messages, care coordination updates, eligibility files, and benefit administration details, all of which can become regulated data depending on context.

Federal guidance has been blunt for years about what actually works. The HHS 405(d) program has repeatedly emphasized phishing as a top threat and outlines concrete mitigation practices in its threat resources, including email protection, access management, and workforce training. The 405(d) phishing materials are particularly relevant to the HMSA pattern, where a single successful spear phishing message can lead to prolonged exposure and a slow, expensive data review.

The control that most consistently changes outcomes is stronger authentication. NIST guidance on multi-factor authentication and CISA’s phishing-resistant MFA recommendations both point in the same direction. Credential theft remains common, so identity assurance must be strengthened where email and remote access intersect with regulated data. In healthcare, that is not merely a cybersecurity best practice. It is patient safety protection, because email compromise can disrupt referral pathways, expose sensitive diagnoses, and degrade trust in care communications.

Breach notification has become a credibility test

Breach notification is often treated as a compliance exercise, but it is increasingly a credibility test for leadership. The HHS Breach Notification Rule sets expectations for timeliness and content, including that notices should be provided without unreasonable delay and no later than 60 days following discovery of a breach, with defined pathways for substitute notice when contact information is insufficient.

Yet healthcare breach timelines frequently stretch because the hardest work happens after the intrusion. Forensics must determine what data was accessed, data mapping must connect records to individuals, and teams must reconcile what the law requires with what the organization can confidently say. The HMSA scenario, where the notice reportedly does not yet specify data elements and the affected count is unclear, is a familiar manifestation of that gap.

This lag is not always the result of poor intent. It is often the result of poor preparation. Organizations that do not maintain accurate inventories of systems, datasets, and vendor data flows end up doing those inventories under incident pressure, with legal risk rising every day the facts remain incomplete.

What changes as HIPAA security expectations tighten

The broader regulatory context is moving toward less flexibility and more specificity. The HHS OCR fact sheet on the HIPAA Security Rule NPRM and the Federal Register posting of the proposed Security Rule updates underscore an emphasis on stronger cybersecurity baselines that align with modern threat conditions.

This shift is already playing out in the public debate. Reporting from outlets including Reuters has highlighted that the proposed changes would harden requirements around practices such as encryption, authentication, risk analysis, and vendor oversight, while also drawing pushback from provider organizations concerned about cost and implementation burden. The tension is real, especially for smaller and midsize providers. But the operational lesson from Revere Health and Health Management Systems of America is that the status quo also carries a measurable price, incident response costs, downtime risk, patient trust erosion, and long-tail exposure from partial identifiers that enable identity fraud.

The real KPI is time to truth

Healthcare cybersecurity is often framed as prevention versus response. The more actionable framing is time to truth, how quickly an organization can determine what happened, what data was exposed, which patients are affected, and which controls failed. Revere Health’s notice shows a relatively defined data set and a clear vendor context. The HMSA disclosure reflects the opposite condition, a prolonged review where basic exposure details remain unsettled.

Time to truth is not achieved through a single tool purchase. It is built through asset and data inventories, vendor risk governance that is technically enforced, and identity controls that reduce the likelihood that a single compromised credential becomes an enterprise-wide incident. Until those fundamentals are operationalized, healthcare will continue to publish breach notices that function less like transparency and more like evidence of how difficult it remains to see the full system.