A group of bipartisan senators introduced new healthcare cybersecurity legislation that would change Department of Health and Human Services (HHS) protocols on cybersecurity and offer guidance to the healthcare industry on how to handle cybersecurity attacks.
According to data compiled by the HIPAA Journal, the largest number of individuals had their healthcare data exposed in 2024 than any year since 2009, when the HHS’ Office for Civil Rights began collecting data on breaches. The cyberattack on UnitedHealth subsidiary Change Healthcare, which happened in February of that year, is estimated to have impacted more than 190 million individuals.
The American Hospital Association (AHA) wrote that in 2024, 444 reported cybersecurity incidents impacted healthcare, with 238 ransomware threats and 206 data breach incidents, according to data released by the FBI.
“It’s not surprising that the report shows health care suffered the highest combined total of ransomware and data theft attacks of any U.S. critical infrastructure sector,” John Riggi, AHA national advisor for cybersecurity and risk, said in the blog post. “Concurrently in 2024, health care made 592 regulatory filings of reported ‘hacks’ of protected health information to the Department of Health and Human Services Office of Civil Rights, impacting a record of 259 million Americans. That massive number is mainly due to the hacking of records for 190 million Americans during the Change Healthcare ransomware attack."
Sens. Mark Warner, D-Va., Bill Cassidy, M.D., R-La., Maggie Hassan, D-N.H., and John Cornyn, R-Texas, reintroduced the Healthcare Cybersecurity and Resiliency Act of 2025 on Thursday. The bill would provide guidance, grants and educational opportunities for healthcare entities and their business associates to better prepare for and respond to attacks on their technological infrastructure.
One section of the bill would require the HHS to write guidance for rural entities and rural health clinics on best practices for cybersecurity breach prevention, resilience and coordination with federal agencies in the event of an attack. It would also require the Government Accountability Office to conduct a review on the implementation of the rural health guidance.
While the proposed legislation does not provide specifics on the amount of money available to healthcare entities, it does stipulate that the HHS make cybersecurity infrastructure grants available to a broad swath of healthcare delivery organizations. It includes hospitals, cancer centers, rural health clinics, academic medical centers and more.
To enhance the healthcare workforce’s knowledge of cybersecurity "dos" and "do nots," the HHS would be required to provide education and training.
“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs—and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a press release. “Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it.”
The senators' legislation would also significantly modernize how cybersecurity reporting is handled within the nation’s healthcare agency. In addition to clarifying which offices within the HHS will handle cybersecurity incidents, it would require the agency to create an incident response plan for the HHS.
The HHS would also need to create a public website for breach reporting. The portal would include information on healthcare cybersecurity breaches and the corrective actions healthcare entities took after a breach.
The legislation would also require an update to the Health Insurance Portability and Accountability Act (HIPAA), the Security Rule within which stipulates a slew of cybersecurity practices for providers and insurers. The bill would update HIPAA regulations to require covered entities to use “modern, up-to-date” cybersecurity practices.
The bill would also require the number of individuals impacted by cybersecurity events to be reported.
“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” Cornyn said. “This legislation would strengthen interagency coordination and improve security practices for rural providers, ensuring Texans’ health care is not delayed or compromised by cyberattacks.”