Over the past month, AI vulnerabilities, delayed breach disclosures, and geopolitical tensions have created new challenges for cybersecurity leaders in healthcare. In this CISO Brief for June 2025, we take a closer look at the month’s top threats and headline-making events – from the first known AI zero-day exposure in Microsoft 365 Copilot (“EchoLeak”) to the delayed disclosure of a breach at the Episource impacting over 5 million patients, to escalating cyber risk warnings amid U.S.–Iran tensions.
Plus, as we approach the Fourth of July weekend, a time of historically heightened cyber activity, I’ll share key steps to help your healthcare organization stay prepared and resilient. Here’s what CISOs need to know and the questions to ask your teams.
EchoLeak Exposes First AI Zero-Day in Copilot
Overview:
On June 11, researchers disclosed EchoLeak (CVE-2025-32711), the first zero-click AI vulnerability affecting Microsoft 365 Copilot. The flaw allowed attackers to exploit the AI’s internal context engine and extract sensitive data without user interaction. A specially crafted email could trigger the AI to leak data by embedding it into a disguised image link that sends the information to an attacker-controlled server. Microsoft patched the issue in May, with no reported exploitation so far.
Healthcare Impact:
As hospitals adopt AI tools for documentation, patient engagement, and operations, EchoLeak emphasizes a new type of risk: AI models tricked into violating data boundaries. This could lead to PHI exposure without any malicious user action. Healthcare organizations must begin integrating AI-specific threat models into their security programs to address emerging risks effectively.
Recommendations:
- Even if you are not using Microsoft Copilot, review all AI tools for access to sensitive data and apply the principle of least privilege.
- Strengthen defenses against prompt injection in any in-house AI deployments.
- Ensure AI tools interacting with email or documents include content filtering.
- Add post-processing checks on AI outputs.
- Ask vendors if they test their AI tools for risks like EchoLeak.
- Expand awareness training to include AI-specific attack scenarios.
Questions to Ask Your Team:
- Are we using, or planning to use, AI tools that access sensitive healthcare data?
- How are we validating AI-generated outputs that draw on internal data?
- Have we applied patches for known AI vulnerabilities like EchoLeak?
- Do we have a response plan if AI tools behave abnormally?
- Are staff trained to spot unusual AI behavior and report it?
Episource Data Breach: Delayed Disclosure of 5.4 million Patient Records
Overview:
Episource, a risk adjustment vendor, revealed that a breach affecting over 5.4 million individuals occurred between January 27 and February 6. There was a delay in public disclosure until June 6, despite the discovery having occurred in February. Stolen data included names, Social Security numbers, insurance details, and medical records. The attack is suspected to be ransomware-related.
Healthcare Impact:
As a business associate, Episource’s breach affected dozens of providers who relied on their services. Delayed notification prevented timely patient protection and created compliance and reputational risks for healthcare organizations downstream.
Recommendations:
- Review which vendors have access to your patient data.
- Ensure contracts require timely breach notification.
- Ask vendors about recent audits or security certifications they have completed.
- Inventory what data each vendor stores and how it’s protected.
- Monitor vendor access to your network for unusual activity.
- Develop a third-party breach response playbook.
- Run tabletop exercises involving major vendor breaches.
Questions to Ask Your Team:
- Do we have an inventory of third-party vendors with access to patient data?
- Did we use Episource or a similar vendor, and have we assessed our exposure to it?
- Do contracts include clear timelines for reporting breaches?
- Are we monitoring vendor access for unusual patterns?
- Have we considered minimizing the amount of sensitive data shared with vendors?
Iran Tensions and DHS Cyber Advisory
Overview:
On June 22, DHS issued a bulletin warning of increased cyber threats tied to U.S.–Iran tensions. The alert included both physical and digital risks. HHS followed with a sector-specific advisory urging all healthcare organizations to increase cyber vigilance.
Healthcare Impact:
Iranian threat actors have previously targeted U.S. hospitals. Even without a direct threat, geopolitical tension can spill over into opportunistic attacks. CISOs need to prepare for increased attempts at ransomware, defacements, or denial-of-service activity.
Recommendations:
- Activate high-alert monitoring protocols (“Shields Up.”)
- Verify backups are complete and stored offline.
- Patch all critical and internet-facing vulnerabilities.
- Enforce and audit multifactor authentication.
- Monitor for brute-force or password-spraying attacks.
- Block traffic from non-essential regions.
- Re-emphasize phishing awareness training.
- Utilize CISA, HC3, and ISACs to stay informed about active threats.
Questions to Ask Your Team:
- Have we elevated our cyber posture in response to these alerts?
- Are all internet-facing systems patched?
- Are we prepared to maintain operations in the event of a cyberattack or outage?
- Have we recently tested our backup and recovery plans?
- Are we monitoring authentication logs for anomalies?
- Do staff know how to report suspicious emails or system issues?
Fourth of July Holiday: Heightened Threat Alert for Healthcare
Overview:
Cybercriminals often strike during U.S. holidays, counting on reduced staffing and slower response. This Fourth of July is particularly risky due to recent AI disclosures, fallout from third-party incidents, and geopolitical threats.
Actions to Take:
- Apply all high-priority patches before the holiday.
- Confirmed offline and tested backups for critical systems.
- Validate MFA settings across all vital services.
- Assign clear responsibilities for on-call security staff.
- Pause non-essential IT changes to reduce risk.
- Send pre-holiday phishing awareness reminders.
- Test incident response contact trees and escalation paths to ensure they are effective.
- Coordinate vendor support availability during the holiday.
Questions to Ask Your Team:
- Are all critical vulnerabilities patched before the holiday?
- Who is monitoring our systems during the weekend?
- Are backups current, offline, and restorable?
- What controls have we activated to reduce exposure?
- Has the help desk been briefed on how to handle holiday support?
- Do we have a post-holiday plan to review logs for signs of compromise?
Looking Ahead
From AI vulnerabilities to Iran-linked threats and holiday heightened risks, proactivity is key to staying on top of the escalated risks in healthcare cybersecurity. Use this month’s CISO Brief insights to guide your planning, prioritize your defenses, and ensure your teams are ready for whatever comes next.
