When you look at what happened to Highlands Oncology Group, you're seeing a textbook example of how security failures compound over time. This Arkansas-based cancer care provider was hit twice in less than two years. The second attack was more than double the size of the first. What makes this case particularly concerning is the pattern we see repeatedly in healthcare. The implementing of tactical fixes after a breach without addressing the underlying security architecture problems.

After their November 2023 breach that exposed 55,297 patient records, Highlands implemented what they called "additional monitoring, revised remote access policies, and strengthened technical safeguards." Sound familiar? That's the same response we see from most healthcare organizations after a breach – patch the obvious holes, add some monitoring, call it good. But by January 2025, the Medusa ransomware group was already back inside their network. This time they stayed for over four months without being detected.

The technical reality here is sobering. An attacker gained initial access on January 21, 2025 and they maintained access until June 2 when they finally deployed their ransomware payload. That's 132 days of undetected presence in a healthcare network containing sensitive data including Social Security numbers, medical records, financial information, passport numbers, driver's license details and complete medical treatment histories for over 113,000 patients.

The Four-Month Dwell Time Problem

When Medusa first gained access, they weren't immediately launching ransomware. They were conducting reconnaissance, mapping the network, identifying critical systems, locating backup infrastructure, finding and exfiltrating the data.

The fact that this intrusion went undetected for over four months tells us several critical things about their security posture. First, their network monitoring wasn't sophisticated enough to detect lateral movement, unusual data access patterns, or abnormal network traffic. Second, their endpoint detection capabilities were either non-existent or poorly configured. Third, their security team likely lacked the tools and processes necessary for effective threat hunting.

This brings us to a fundamental problem in healthcare cybersecurity. Most organizations are still thinking about security as a compliance checkbox rather than an ongoing operational discipline. After their 2023 incident, Highlands likely conducted a internal security assessment, implemented some additional controls, maybe brought in a consultant to review their policies and considered the problem solved. But effective cybersecurity requires continuous monitoring, regular testing and constant adaptation to evolving threats.

Network Baselining and Behavioral Analysis

One of the most critical gaps we see in healthcare organizations is the lack of proper network baselining and behavioral analysis. You can't detect abnormal activity if you don't know what normal looks like. Effective security operations require establishing detailed baselines for network traffic patterns, user behavior, system access logs and data flow patterns. This goes beyond deploying a SIEM and hoping for the best. It requires dedicated security personnel who understand both the technology and the clinical workflows that drive data access in healthcare environments.

The incident response lifecycle should include continuous monitoring and threat hunting as core components, not just reactive measures after an incident is detected. When we conduct security assessments for healthcare clients, we often find that their "monitoring" consists of basic antivirus alerts and maybe some firewall logging. That's hoping, not monitoring. Real monitoring involves behavioral analysis, anomaly detection, threat intelligence integration, and proactive hunting for indicators of compromise.

The Medusa group didn't just steal data. They conducted what's called "double extortion." They encrypted Highlands' systems to disrupt operations while simultaneously threatening to publish the stolen data on their leak site. They demanded $700,000 with a deadline of July 21. Highlands was subsequently removed from Medusa's leak site, which strongly suggests they paid the ransom.

This decision to pay has serious implications that go beyond the immediate financial impact. When healthcare organizations pay ransoms, they're essentially funding future attacks against themselves and other healthcare providers. They're also sending a signal to criminal organizations that healthcare is a profitable target that will pay when pressured. From a risk management perspective, paying the ransom doesn't actually solve the underlying security problems that allowed the breach to occur in the first place.

Technical Testing and User Validation

From a technical testing perspective, this case highlights several critical areas where healthcare organizations need to focus their efforts. User security awareness testing needs to be ongoing and realistic, not just annual phishing simulations. The tests need to include sophisticated social engineering campaigns that target specific individuals with carefully crafted messages designed to exploit human psychology and organizational trust relationships.

Regular penetration testing should include network-based attacks, physical security assessments, social engineering tests, and red team exercises that simulate real-world attack scenarios. Too many healthcare organizations conduct annual penetration tests that focus on technical vulnerabilities while ignoring the human elements that attackers actually exploit.

A robust security testing program requires both internal vulnerability management and external validation. Monthly internal vulnerability assessments should be conducted by your IT security team to identify and remediate technical weaknesses as they emerge. These assessments help maintain baseline security hygiene and catch configuration drift before it becomes exploitable.

Internal assessments have inherent limitations. Your team knows the environment too well and may have blind spots or unconscious biases about system configurations. This is where quarterly third-party penetration testing becomes critical. External penetration testers bring fresh perspectives, updated attack methodologies, and objective assessment of your security controls. They'll test your defenses the same way actual attackers would, without insider knowledge of your network architecture or security measures.

The external testing should rotate focus areas. One quarter might emphasize network perimeter defenses and internal segmentation, while another focuses on wireless security and medical device vulnerabilities. Physical security assessments and social engineering tests should be conducted by third parties at least twice annually. These types of tests require specialized skills and benefit significantly from the outsider perspective that makes social engineering attempts more realistic and effective.

Continuous red team exercises that test both technical controls and human responses should blend internal and external resources, with third-party red teams leading complex scenarios that challenge your incident response procedures and test whether your security investments actually work under pressure.

The technical architecture of healthcare networks creates unique challenges that many organizations don't adequately address. Medical devices, electronic health record systems, billing platforms and administrative networks often share the same infrastructure without proper segmentation. When attackers gain access to one system, they can often move laterally across the entire network because proper network segmentation and access controls haven't been implemented.

Critical system identification and protection is another area where healthcare organizations consistently fall short. Every healthcare network contains systems that are absolutely critical to patient care and safety, but many organizations haven't properly identified these systems, mapped their dependencies, or implemented appropriate protection measures. When ransomware hits these critical systems, the impact goes beyond data theft. These attacks can affect patient care and safety.

Red Flags for Healthcare Organizations

The red flags for healthcare organizations in this case are numerous and concerning. The extended dwell time demonstrates a fundamental failure in security monitoring and threat detection. No attacker should be able to maintain access to a healthcare network for over four months without detection. This suggests that Highlands lacked proper endpoint detection and response capabilities, network monitoring tools and security operations center processes.

The fact that this was their second ransomware incident in less than two years indicates that their post-incident remediation after the 2023 breach was inadequate. They likely focused on tactical fixes rather than strategic security improvements. This is a common pattern we see in healthcare. Organizations implement point solutions to address specific vulnerabilities without addressing the underlying security architecture and operational issues.

The scale escalation from 55,297 affected patients in 2023 to 113,575 in 2025 suggests that their security posture actually deteriorated over time rather than improving. This could indicate organizational growth without corresponding security investments, or it could reflect the attackers' improved understanding of the network based on their previous successful intrusion.

The data theft demonstrates poor data classification and access controls. The attackers were able to access everything from Social Security numbers and medical records to financial information and passport details. This suggests that sensitive data wasn't properly segmented, classified or protected with appropriate access controls.

The apparent decision to pay the ransom creates a dangerous precedent that makes future attacks more likely. Criminal organizations share information about which targets are likely to pay, and healthcare organizations that pay ransoms often find themselves targeted repeatedly by the same or different criminal groups.

The Broader Technical Implications

The technical implications of this case extend beyond just Highlands Oncology Group. This incident demonstrates several systemic problems in healthcare cybersecurity that we see repeatedly across the industry. Many healthcare organizations are still operating under the assumption that compliance equals security. HIPAA compliance is a minimum baseline, not a security strategy.

The reality is that effective healthcare cybersecurity requires ongoing investment in people, processes and technology. It requires dedicated security personnel who understand both cybersecurity and healthcare operations. It requires continuous monitoring and threat hunting capabilities. It requires regular testing and validation of security controls. And it requires an organizational commitment to treating cybersecurity as an operational discipline rather than a compliance requirement.

From a business risk perspective, the financial impact of these breaches extends far beyond the immediate ransom payment. Healthcare organizations face regulatory fines, legal costs, reputation damage, patient notification expenses, credit monitoring services, and potential lawsuits. The total cost of a healthcare data breach now averages over $11 million according to recent studies, making it the most expensive type of data breach across all industries.

When ransomware attacks disrupt healthcare operations, patient care is directly affected. We've seen cases where hospitals had to divert ambulances, postpone surgeries and revert to paper-based processes because their electronic systems were compromised. In some cases, these disruptions have been linked to increased patient mortality rates.

The Medusa ransomware group that attacked Highlands is part of a broader ecosystem of sophisticated criminal organizations that specifically target healthcare providers. They operate as a service, providing ransomware tools and infrastructure to affiliates in exchange for a percentage of ransom payments. This business model has made ransomware attacks more frequent and more sophisticated over time.

These criminal organizations conduct detailed reconnaissance before launching attacks. They study their targets' networks, identify critical systems, map backup infrastructure, and develop customized attack strategies. They understand healthcare operations well enough to time their attacks for maximum impact, often targeting systems during critical operational periods or when IT support is limited.

Moving Beyond Compliance

Healthcare organizations need to stop treating cybersecurity as a checklist and start building operational security programs. This means implementing proper network segmentation to limit lateral movement, deploying advanced endpoint detection and response tools, establishing security operations centers with 24/7 monitoring capabilities, and conducting regular red team exercises to test both technical controls and human responses.

The difference between a minor security incident and a major data breach often comes down to detection speed. In Highlands' case, a four-month detection time turned what could have been a contained incident into a major breach affecting over 113,000 patients.

Organizations that treat cybersecurity as a one-time fix rather than an ongoing operational discipline will continue to be victimized. Healthcare organizations that commit to treating cybersecurity as a core operational discipline will be much better positioned to defend against sophisticated threats.

Don't Let Your Organization Become the Next Highlands

If you're reading this and recognizing your organization in these scenarios, you're not alone. Most healthcare organizations have similar vulnerabilities - they just haven't been exploited yet. The question is whether you want to discover these gaps through a controlled security assessment or through a breach notification to your patients.

Our security assessments combine technical penetration testing with operational security reviews that examine how your organization would actually respond to a sophisticated attack. We don't just find vulnerabilities - we help you understand which ones pose the greatest risk to patient care and how to prioritize your security investments for maximum protection.

If you want to know how your organization would fare against the same tactics that compromised Highlands twice, let's talk. The conversation is free, confidential, and could save your organization from becoming the next cautionary tale in healthcare cybersecurity.

Keith Pachulski

Red Cell Security, LLC

www.redcellsecurity.org

keith@redcellsecurity.org

📅 Schedule Time With Me