Don't be the next healthcare data breach: why your choice of web host matters
Choosing the right web host can make the difference between disaster and averting it.

Image by Cybernews.
Choosing the right web host can make the difference between disaster and averting it.
Hospitals and their technology partners are racing to lock down the servers that hold the world’s most sensitive medical records after an unprecedented run of cyberattacks exposed hundreds of millions of patients and crippled care networks from California to Copenhagen.
It used to be that health care data was seen as off-limits for cybercriminals, who held an honourable view that anything that affected care could and should not happen.
That’s no longer the case, though.
The turning point was February 2024, when ransomware gang BlackCat hijacked UnitedHealth’s Change Healthcare data clearing house. The attack, finally tallied this year, compromised data of about 190 million people and disrupted prescription authorisations and billing at “virtually every hospital in the country,” according to industry estimates. But it was just the beginning.
Cascading crises
Change Healthcare’s outage showed how a single cloud-based vendor can create a blast radius that engulfs thousands of providers. Weeks later, Kaiser Permanente disclosed that a marketing-tracking script on its patient portal had quietly sent the browsing behaviour of 13.4 million members to Google, Microsoft and X. In this instance, there were no hackers involved, just a misconfigured web tool that caused data breaches.
And this spring, Oracle Health admitted that legacy data-migration servers left outside its main Oracle Cloud perimeter were looted for patient files, prompting extortion attempts against individual hospitals. Each incident flowed from an infrastructure decision: which host to trust, how quickly to retire old machines, whether to embed third-party code.
The bill keeps climbing
The average healthcare breach cost $10.93 million in 2023 and $9.77 million in 2024, still the highest of any industry.
And regulators are worried about what’s happening. In December 2024, the White House proposed the first major overhaul of HIPAA security rules in two decades.
The draft would mandate encryption of all protected health information and require hospitals and their cloud or software vendors to pass regular compliance audits — a shift from today’s largely voluntary regime, Deputy National Security Adviser Anne Neuberger said at the time.
Europe is moving in parallel: data-protection authorities have begun reviewing how mega-clouds handle “special category” health data under the GDPR, and several national health systems face multi-million-euro fines for breaches linked to outsourced hosting contracts.
What route to choose?
Security architects argue that hyperscale clouds such as AWS, Azure and Oracle can be more secure than an average on-premise hospital data centre because providers invest billions in monitoring and patching. Yet the record shows that misconfiguration, credential reuse, and unmanaged shadow IT inside those clouds remain top breach paths.
Plus, hospitals now share data with hundreds of “business associates”—billing services, imaging apps, telehealth portals—each potentially hosting PHI on its own servers. In 2023, the AHA reported a 287% year-over-year jump in individuals harmed by vendor breaches, far outpacing incidents originating inside provider networks. Insurers reacted by tightening cyber-liability coverage and demanding proof that every subcontractor meets frameworks such as HITRUST or NIST.
The next 12 months will be pivotal for cybersecurity. Many providers are accelerating cloud migrations to shed obsolete hardware like the Oracle-era servers that were plundered, but they are adding zero-trust access controls, 24/7 logging and stricter contracts that let them audit vendor defences.
Regulators, meanwhile, are signalling they will hold hospitals accountable even when outsiders are at fault, raising the stakes for due diligence on hosting partners.