The Senate’s top Democrat called on the Department of Homeland Security Friday to work closely with state and local governments to defend against artificial intelligence-strengthened hacks. 

Senate Minority Leader Chuck Schumer, D-N.Y., wrote to DHS Secretary Markwayne Mullin to make sure state, local, tribal and territorial (SLTT) governments aren’t left behind as AI models advance, posing new hacking threats.

“There is a race between cybersecurity defenders and AI-enabled hacking — and there’s no time to waste,” Schumer wrote.

“While the White House has reportedly begun hosting meetings about its internal security priorities following these frontier AI cyber breakthroughs, it is glaringly obvious that the Department of Homeland Security needs an updated plan for coordinating these efforts with [state, local, tribal and territorial] governments and implementing procedures to reduce the risk of disruptive cyberattacks enabled by frontier AI,” he stated.

Schumer said he was worried about the capabilities of DHS and its Cybersecurity and Infrastructure Security Agency to carry out that coordination, given federal funding cuts to the Multistate Information Sharing and Analysis Center, and the lack of a Senate-confirmed CISA director for the duration of the second Trump administration.

Schumer wants a plan from DHS by July 1 on coordinating with state and local governments on a range of questions, such as how to identify top AI talent, carry out rapid patching and conduct risk assessments.

“AI is changing the cyber battlefield fast — and we cannot let hackers get there first,” Schumer said in comments accompanying the letter. “Hospitals, power grids, water systems, schools, elections, and emergency services cannot be left exposed while criminal gangs and state-backed hackers race to exploit new AI tools. DHS must immediately help states and localities find and fix vulnerabilities before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk.”

CISA is using AI to help on the defensive side internally, agency officials recently said.

The post Sen. Schumer seeks DHS plan on AI cyber coordination with state, local governments appeared first on CyberScoop.

Lawmakers at a hearing Tuesday explored ways to beef up punishments for ransomware attacks against hospitals, possibly by labeling them as more severe crimes.

One proposal floated at the House Homeland Security Committee hearing, to treat ransomware attacks as terrorism, is an idea Congress has flirted with before. Another would be to press prosecutors to pursue homicide charges in attacks on hospitals where death resulted — something German authorities also once pondered.

A former top FBI cyber official, Cynthia Kaiser, put forward both ideas at the hearing, a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection on cybercrime, drawing questions and interest from members.

“I believe there are no penalties too severe for individuals that would target our health care system,” said Mississippi Rep. Michael Guest, chair of the border subcommittee, whose home state of Mississippi’s health care clinics closed following a February ransomware attack.

The suggestions stem from a growing focus by ransomware attackers on the health care sector, with incidents doubling from 238 in 2024 to 460 in 2025 according to FBI statistics, making it the top targeted sector.

Kaiser, now senior vice of the Halcyon ransomware research center, said terrorism designations from the State, Treasury and Justice departments could lead to further sanctions, restricted travel and other punishments. Justice Department guidance on homicide charges could clarify its authorities, she said.

“It sounds like the language is there, it just has not been applied in these circumstances,” said Rep. Lou Correa of California, the top Democrat on Guest’s subpanel.

The notion of more closely entwining cyberattacks and terrorism is something both Congress and the executive branch have examined recently.

The fiscal 2025 Senate intelligence authorization bill would have directly linked ransomware to terrorism, although the final version of the bill that became law was less explicit than the original Senate language. The Treasury Department last month asked for public feedback on changing a terrorism risk insurance program to address cyber-related losses.

A University of Minnesota study from 2023 estimated that hospital ransomware attacks were responsible for dozens of deaths of Medicare patients. German authorities in 2020 opened a negligent homicide investigation following a death in the aftermath of a ransomware attack, but ultimately decided against charges.

The Trump administration’s national cyber strategy advocates for taking a more offensive approach to hackers. It released an executive order on cybercrime and fraud the same day it published the strategy. Kaiser said the proposals are in line with those approaches.

Hackers know their attacks could end lives, she said. “They have simply decided these deaths are someone else’s problem,” Kaiser said.

The post Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

The Department of Health and Human Services unveiled a tool Thursday to help health care facilities assess their cybersecurity risks, elevating the emphasis on those threats to the kind produced by weather conditions and other dangers.

The assistance from HHS’s Administration for Strategic Preparedness and Response (ASPR) comes in the form of an update to the Risk Identification and Site Criticality (RISC) 2.0 Toolkit to include a specific focus on cybersecurity. 

RISC is a free tool to help organizations identify threats and vulnerabilities, estimate consequences and share their findings with others. Now it will include a cybersecurity module, too.

The module walks users through a series of questions and measures them against the influential National Institute for Standards and Technology Cybersecurity Framework 2.0, as well as HHS’s own voluntary cybersecurity performance goals.

John Knox, principal deputy assistant secretary at ASPR, said the change was a response to growing cyber threats.

“This module is the latest addition to our toolkit of resources to assist our health care and public health partners in preventing the disruption of patient care and strengthening national health security,” Knox said in a news release. “We must acknowledge that cyber safety is patient safety and that cyber threats can cause cascading problems across the health care industry. The new cybersecurity module will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it.”

It continues an emphasis ASPR’s Charlee Hess discussed at CyberTalks last month, with the landmark Change Healthcare attack prompting the HHS division to look at ways to help organizations manage risk from third-party providers.

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said the creation of the cyber module was a “smart move,” with the RISC toolkit already being integrated into thousands of health care systems. He also liked the toolkit leaning on the NIST framework and HHS’s performance goals.

“By putting cyber side‑by‑side with other threats and hazards in a unified platform, RISC 2.0 can help hospital and health system leaders see cyber exposure in the same context as hurricanes, active shooters, or power failures,” he said in an emailed response to CyberScoop. “That visibility can drive more informed conversations at the executive and board levels about where to invest in cybersecurity, what gaps are most critical, and how cyber disruptions might cascade into real impacts on patient care.”

The post HHS updates a free risk tool to help hospitals size up their cybersecurity exposure appeared first on CyberScoop.

A key Senate Committee moved to advance legislation that would overhaul cybersecurity practices at the Department of Health and Human Services.

The bipartisan Health Care Cybersecurity and Resiliency Act sailed through the Senate Health, Education and Labor Committee Thursday on a 22-1 vote, with only Sen. Rand Paul, R-Ky., opposing it.

The legislation, sponsored by committee chair Bill Cassidy, R-La., and Sens. Mark Warner, D-Va., John Cornyn, R-Texas and Maggie Hassan, D-NH, would require the Secretary of Health and Human Services to develop a cybersecurity incident response plan for the department and provide it to Congress for review.

It would direct the department to partner with the Cybersecurity and Infrastructure Security Agency on oversight of cybersecurity in the health care and public health sectors, create specific cybersecurity guidance for rural healthcare providers and develop a plan to boost cybersecurity literacy within the healthcare workforce.

Cassidy and other members cited the 2024 Change Healthcare attack as a major driver for the legislation, arguing the incident was emblematic of a sector that is under constant siege from cybercriminals, ransomware actors and nation-states.

“Last year there were more than 730 cyber breaches affecting over 270 million Americans [connected to] Change Healthcare, exposing 190 million people’s data and delaying access to care.”  Cassidy said at the opening of the hearing.

Another provision would designate the Administration for Strategic Preparedness and Response at HHS as the Sector Risk Management Agency for the Healthcare and Public Health sectors.

Earlier this month, an HHS official from that office speaking at CyberTalks, presented by CyberScoop, said the Change Healthcare attack took many private and public sector defenders by surprise, underscoring how the compromise of a little-known third-party service provider concentrated within a single sector can still take down wide swaths of industry.

“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Charlee Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”

The bill would update one of the sector’s main data protection laws, the Health Insurance Portability and Accountability Act, to ensure regulated entities use modern cybersecurity practices. It would also establish a new federal grant program to help hospitals, cancer centers, rural health clinics, the Indian Health Service, academic health centers and partnering nonprofit organizations adopt cybersecurity best practices  

“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a statement.

The post Senate moves one step closer to passing health care cyber reforms  appeared first on CyberScoop.

A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.

That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.

“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”

That realization arose from meetings between HHS and industry, she said. The focus on third-party service provider risk came next.

“We are going through and working through a methodology to identify that, and we’ve been working with industry on doing that, really finding where those places are,” Hess said.

The Change Healthcare breach, which exposed the data of 190 million people, has triggered other government responses, too, including on Capitol Hill.

It also prompted UnitedHealth Group, the parent company of Change Healthcare to “start over” on its use of computer systems. But industry has also bristled at the notion of mandatory cybersecurity requirements on hospitals — in part because, they note, the Change Healthcare attack wasn’t their fault.

The post HHS burrows into identifying risks to health sector from third-party vendors appeared first on CyberScoop.

A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.

It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.

Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.

“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.

The legislation aspires to improve coordination between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, with steps like directing HHS to work with CISA state coordinators to provide training to health care owners and operators.

It would clarify HHS’s responsibilities and give it additional responsibilities, such as directing it to develop a cybersecurity incident response plan. It also requires HHS to update Health Insurance Portability and Accountability Act (HIPAA) regulations for health care identities to use modern cybersecurity practices, issue guidance for rural health clinics on breach prevention.

And it authorizes a five-year grant program at HHS for select health care entities, like academic health and cancer centers, although it doesn’t specify a dollar amount.

Some of those goals are similar to provisions from other health care cybersecurity bills that haven’t become law, some of which emerged after the Change Healthcare ransomware attack that led to the biggest breach of health care data ever reported to federal regulators.

“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” Cornyn said.

The post Bipartisan health care cybersecurity legislation returns to address a cornucopia of issues appeared first on CyberScoop.