While emphasizing that Change Healthcare was a victim, Riggi said the company is an unfortunate poster child for insecure third-party companies.
"Holding so much data and being so critical to the functioning of the entire healthcare sector, we believe they had special responsibility to secure that vast majority of the healthcare data they held," he said.
Ransomware an increasing concern
Data available from the Health and Human Services Department's Office for Civil Rights does not break out which breaches also involve ransomware. According to the FBI, this type of attack may not always involve data being stolen. Malicious software could simply lock access to a company's data until a ransom is paid.
An analysis for Modern Healthcare by Black Kite, a Boston-based cyber third-party risk management company, estimates 23% of healthcare breaches in 2024 were ransomware attacks. That's up from about 11% in 2023.
Riggi believes the percentage could be higher. "We do estimate that about a third of these reported hacks were actually ransomware attacks that were accompanied by data theft."
He characterized such hacks as threat-to-life crimes, citing a ransomware attack on the University Medical Center Health System in Lubbock, Texas, last year. For several days, the attack forced the diversion of ambulances from the hospital, including the only Level-1 trauma center in the area.
Riggi doesn't shy away from pointing out who he believes is responsible.
"The root of this problem is foreign bad guys, primarily based in Russia, China, North Korea and Iran, who are stealing our data," he said.
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, predicts more such attacks this year.
"Ransomware in 2025 will be faster, bolder and more ruthless. Healthcare remains a bullseye, with new ransomware groups exploiting ethical and operational vulnerabilities."