Skip to main content
close search
site logo
Sponsored

Healthcare data breach: 100% unencrypted PHI

Published Dec. 8, 2025
By Matthew Healey, Senior Solutions Architect, Liquid Web
A focused doctor in a white coat, with a stethoscope, works on a laptop at a desk.

iStock

As of October 2025, the American Hospital Association had logged 364 healthcare hacking incidents this year. Unbelievably, 100% of the breached data was unencrypted.

It was either exposed because stolen credentials unlocked access to encrypted data or stored in plain text outside of protected systems.

That’s more than a healthcare cybersecurity statistic; it’s an indictment.

Hopefully, it’s also a wake-up call about how encryption is being implemented, managed and audited across healthcare. If every compromised record could be read, leaders have to ask: Is encryption truly functioning as our last line of defense or merely as a compliance checkbox?

The significance of the “100% unencrypted” finding

The AHA report’s insight hits at the core of healthcare security: encryption. Properly applied, encryption protects patient data in two essential states:

  • At rest, when stored on servers, backups or devices
  • In transit, as it moves between systems, endpoints and vendors

When encryption is missing or when stolen credentials bypass it entirely, data becomes instantly exploitable.

Attackers don’t need to “break” encryption if they can simply log in using a legitimate user’s keys. Even worse, much of the unencrypted data in 2025 breaches existed outside the electronic health record (EHR): on analytics servers, imaging platforms, email systems and vendor integrations where encryption enforcement was inconsistent or absent.

This pattern reveals the deeper problem: Healthcare isn’t suffering from an absence of encryption technology, it’s suffering from gaps in strategy, governance and accountability around how encryption is applied and verified across sprawling data ecosystems.

Embedding encryption accountability into the healthcare institution

For hospitals and provider organizations, encryption should be a leadership issue. CIOs, CFOs and compliance executives all share responsibility for where sensitive data resides, how it’s secured and who can access it.

Within the institution:

  • Audit data locations. Identify every point where PHI is stored or transmitted, including backups and third-party integrations.
  • Ensure encryption at rest covers not only EHR systems but also file servers, mobile devices and archived media.
  • Validate encryption in transit across all channels, including email, file transfer, remote access and API exchanges.
  • Establish key-management discipline. Rotate keys regularly, restrict administrative access and log every key usage event.

Externally, the same accountability applies to vendors and technology partners.

  • Demand written proof of encryption standards, including algorithms used, key storage methods and data isolation practices.
  • Make sure contracts define breach notification procedures and explicitly state what happens if encryption keys are compromised.

Closing encryption gaps through secure infrastructure

For health-tech and SaaS providers, the AHA’s findings highlight a different but related failure: fragmented encryption across distributed systems. The challenge isn’t just encrypting data, it’s maintaining encryption integrity as data flows through APIs, analytics pipelines and hosting environments.

High-performing organizations apply a layered approach:

  • Encrypt PHI in every state—at rest, in transit and within logs, cache or AI/analytics datasets.
  • Implement managed key management systems (KMS) that store keys outside application environments.
  • Automate credential rotation and revocation to neutralize the impact of stolen credentials.
  • Continuously monitor encryption status across databases, backups and network traffic.

Infrastructure plays a critical supporting role. Data should live in compliant, isolated environments with built-in encryption auditing and verifiable logging. Hosting platforms should offer HIPAA-audited encryption configurations, not just generic “secure” environments.

The goal is to make encryption enforced by design, not reliant on manual policy compliance.

Don’t be the next healthcare data breach news headline

Encryption is only effective when it’s universal, enforced and continually verified. The fact that every hacked record in nine months was unencrypted is not a failure of technology—it’s a failure of implementation and oversight.

The path forward requires more than technical remediation. It calls for executive accountability, vendor transparency and infrastructure alignment where encryption is woven into every layer of data management.

At Liquid Web, we help healthcare organizations and technology providers build HIPAA-compliant hosting environments where encryption is a verifiable, auditable part of the infrastructure that underpins patient trust, compliance and long-term resilience.

Filed Under: Health IT

Editors' picks

Editors' picks
Latest in Health IT
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.