Healthcare Cybersecurity Act of 2025 Presented in the Congress and Senate

by

In early June 2025, the House of Representatives and Senate introduced two bipartisan bills seeking to improve the healthcare and public health (HPH) sector cybersecurity through better coordination at the government level so that, in the event of cyberattacks on HPH sector entities,  government agencies could respond immediately and efficiently.

There have been significantly more healthcare cyberattacks in recent years. Based on breach reports submitted to the HHS’ Office for Civil Rights, over 700 data breaches impacted 500 and up individuals every year in the past four years. The healthcare data breaches resulted in the compromised or impermissible disclosure of the protected health information (PHI) of over 172 million people in 2023, and 278 million people in 2024.

In the Change Healthcare data breach in 2024, a ransomware group stole the data of approximately 190 million people and deployed ransomware to encrypt files. Because of the prolonged outage of Change Healthcare’s systems, there was massive disruption to the revenue cycles of healthcare organizations throughout the country. Patient care throughout the country was disrupted, and the ransomware group leaked the stolen information on the dark web.

Congressman Jason Crow (D-CO) and Congressman Brian Fitzpatrick (R-PA) introduced the Healthcare Cybersecurity Act of 2025. In the Senate, Senators Todd Young (R-IN) and Jacky Rosen (D-NV) introduced a companion bill. Congressman Crow earlier presented the Healthcare Cybersecurity Act in the 117th and 118th Congresses. The intention of Congressman Crow in leading the bipartisan legislation is to safeguard the sensitive data of American families from cyberattacks.

If approved, the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) would need to work together to improve the HPH sector cybersecurity. Included in the implementation of this Act is the cybersecurity and HIPAA training for all concerned employees. The bill likewise calls for CISA and the HHS to do a study on the HPH sector and the specific risks it faces.

Because of cyberattacks on the healthcare system, sensitive data and lives are at risk. The Healthcare Cybersecurity Act of 2025 seeks to take direct, strategic action, giving CISA and HHS the authority to carry out real-time threat sharing, providing cybersecurity training for organizations, and creating a dedicated liaison to boost response to attacks. The appropriate infrastructure will be built in place to prevent cyberattacks, secure patient privacy, and defend national security.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]