26.08.25 Threat Report

This week’s threat report highlights the key security developments: a critical vulnerability in FUJIFILM medical imaging systems, a ransomware attack on major kidney dialysis provider DaVita, a delayed data breach disclosure from medical equipment supplier CPAP Medical impacting 90,000 patients, and Apple’s emergency patch for an actively exploited zero-day vulnerability. See the full details below.

Critical Vulnerability in FUJIFILM Medical Imaging Systems Allows Unauthorised Data Access

CISA has issued an urgent advisory for a privilege escalation vulnerability (CVE-2025-54551) affecting FUJIFILM Healthcare's Synapse Mobility medical imaging platform. The flaw allows attackers to bypass authentication controls and access patient information beyond their assigned roles. With a CVSS score of 5.3, this vulnerability can be exploited remotely with low complexity, making it particularly concerning for healthcare environments. The vulnerability affects all versions before 8.2 and stems from inadequate control of web parameters that should be immutable. FUJIFILM has released patches and workarounds, but organisations need to act quickly to secure their imaging systems.

Medical imaging systems are a critical infrastructure in hospitals and clinics, containing vast amounts of sensitive patient data, including diagnostic images, reports, and clinical information. A breach could compromise patient privacy and potentially disrupt diagnostic workflows.

Recommendations:

• Immediately upgrade FUJIFILM Synapse Mobility to version 8.2 or later
• If immediate upgrade isn't possible, disable the search function in configurator settings
• Uncheck "Allow plain text accession number" in the admin interface security section
• Apply available patches for versions 8.0-8.1.1 as an interim measure

Major Kidney Dialysis Provider DaVita Confirms Ransomware Attack Affecting 2.7 Million Patients

US kidney dialysis giant DaVita has disclosed a significant ransomware attack that compromised the personal and health information of 2.7 million patients. The Interlock ransomware group gained access to DaVita's network between 24 March and 12 April 2025, stealing 1,510 GB of sensitive data before encrypting on-premises systems. The breach exposed names, addresses, dates of birth, Social Security numbers, health insurance information, clinical data, and dialysis lab results. Some records also included tax identification numbers and images of cheques. DaVita, which operates 2,675 outpatient centres and holds a 37% share of the US dialysis market, had to implement manual procedures and contingency plans to maintain patient care during the incident. The attackers posted stolen data on their leak site in April, but DaVita only confirmed the full scope of the breach in August.

This incident demonstrates how ransomware can severely disrupt critical healthcare services that patients depend on for life-sustaining treatment. The extended timeline also highlights the challenges of incident response and data recovery in healthcare environments.

Recommendations:

• Review and test business continuity plans for critical patient care systems
• Implement network segmentation to limit the spread of ransomware
• Ensure robust backup systems that are isolated from production networks
• Develop clear communication protocols for patients during cyber incidents

Medical Equipment Supplier CPAP Medical Discloses Delayed Data Breach Affecting 90,000 Patients

Florida-based CPAP Medical Supplies and Services has disclosed a data breach that occurred in mid-December 2024, affecting over 90,000 individuals, including US military personnel and their families. Attackers gained access to the company's systems for more than a week, potentially stealing files containing Social Security numbers and protected health information. The company provides sleep apnoea equipment and serves as a critical supplier in the healthcare ecosystem. Notably, no known ransomware group has claimed responsibility for the attack, suggesting either a stealth operation or that the organisation may have paid a ransom to prevent data publication. The eight-month delay between the incident and public disclosure raises questions about breach notification timelines and the challenges smaller healthcare suppliers face in detecting and responding to cyber incidents.

Medical equipment suppliers are often overlooked in cybersecurity planning, but represent a significant supply chain risk. Their systems may contain patient data, and their compromise can disrupt medical device availability and support services.

Recommendations:

• Conduct security assessments of all medical equipment suppliers and vendors
• Ensure third-party contracts include cybersecurity requirements and breach notification timelines
• Implement supply chain risk management programmes that include cybersecurity considerations
• Review and strengthen incident detection capabilities to reduce time to discovery

Threat Intelligence 

Stay ahead of cyber risks. Explore our Threat Intelligence within the Compliance Tool now.