Listen to this briefing

Did someone forward this newsletter to you? Sign up here to get it in your inbox.

In today’s issue:

• New AI models are intensifying fears of cyberattacks across the health care sector
• Health care and public health organizations reported more cybercrime complaints to the FBI last year than any other critical infrastructure sector
• Virginia Gov. Abigail Spanberger (D) vetoed a bipartisan prescription drug affordability bill after a five-year push by advocates and state lawmakers

Welcome to the Health Brief newsletter. What’ve you got for me? Please send any tips, documents or intel to megan.wilson@washpost.com, or message me on Signal at megan.434.

Health industry experts worry that rapidly evolving artificial intelligence platforms could increase cyberattack risks. (Sebastien Bozon/AFP/Getty Images)

	The Lead Brief

The health care industry, which represents almost one-fifth of the U.S. economy, is more vulnerable than ever to cyberattacks as technology advances.

That’s the focus of the latest report from Rebecca Adams, lead health care analyst at WP Intelligence. Much of the concern is driven by artificial intelligence models that can rapidly uncover and exploit software vulnerabilities, ferreting out flaws that humans did not notice for years or even decades.

While Nancy Phillips, the chief information security officer for Ensemble Health Partners, told Rebecca that the health care industry is excited about the expanding capabilities of AI, there is also “a lot of fear of what it means to defend an organization.”

Hospitals around the country spent about $30 billion on cybersecurity technology and services last year, significantly more than the financial services sector, according to data compiled by the American Hospital Association.

In April, AI giant Anthropic announced that its Mythos model’s powers in finding and exploiting software gaps were so advanced that the company deemed it too dangerous to make it available to the public — although parts of the model were inadvertently exposed before the company even noticed.

One of the company’s primary rivals, OpenAI, followed soon after with similar capabilities.

Phillips said she’d heard talk late last year about these kinds of advanced AI technologies — and while she normally has a policy of not texting executives over the holidays, she sent them a message about what she’d been hearing: “This is what’s keeping me up at night,” Phillips recalls writing around Thanksgiving.

The new models’ abilities to rapidly exploit any vulnerabilities that hospitals may have is “really accelerating the attack cycle time frame, so the threats are increasing at an alarming rate,” Scott Gee, the American Hospital Association’s deputy national adviser for cybersecurity and risk, told Rebecca.

Advertisement

→ Anthropic has rolled out a limited-access initiative, Project Glasswing, which allows more than 50 companies — including CrowdStrike, Microsoft, Palo Alto Networks, Nvidia and others — to use Mythos. Health care organizations can partner with those companies.

Despite that effort, the advent of advanced models such as Mythos has health industry cyber leaders alarmed about the vulnerability of the U.S. health care system — and the risks it poses to patients. They are calling for a more proactive and coordinated federal government response.

“When Mythos dropped last month, the Treasury secretary and the Federal Reserve chair got all the bank CEOs on a call to coordinate what the response would be,” said Dan Jones, senior vice president of federal affairs for the Alliance of Community Health Plans, an industry group that represents smaller insurance plans.

“There’s no equivalent in the health care space. Banks are well financed,” Jones said. “It’s a much bigger threat on the health care side.”

Project Glasswing allowed a major bank to preview Mythos, but did not permit hospital or health industry officials to do so.

Andrew Nixon, a spokesperson for the Department of Health and Human Services, said the agency “works with health care organizations and federal partners to strengthen cyber preparedness across the sector as threats continue to evolve.”

“The department remains engaged with our partners to protect patient data and critical systems,” Nixon added.

Advertisement

Read the full report: “New AI models raise alarms among health care leaders.”

The FBI tracks cybercrime through its Internet Crime Complaint Center, also known as IC3.

In 2025, reports from the health care and public health sectors dwarfed all other industries the federal government has deemed the most critical. Ransomware attacks drove the bulk of incidents across the highest-risk sectors, according to the FBI report.

Why it matters: Patients hospitalized during a ransomware attack faced an average 34 percent to 38 percent higher risk of dying in the hospital than patients admitted in the five weeks before the attack, according to a study published in February by University of Minnesota School of Public Health Associate Professor Hannah Neprash and others.

→ It’s worth noting that the largest cybersecurity attack in U.S. history happened in the health care sector.

In 2024, a Russian ransomware group struck Change Healthcare, an affiliate of UnitedHealth Group, and breached the health records of nearly 193 million Americans.

The company paid the ransom, but many medical providers faced extended disruptions — with some providers reporting that it took months to return to normal operations.

→ In one of the most recent high-profile attacks, Iranian-linked hackers launched a major cyberattack against the medical device giant Stryker in March, which wiped devices across dozens of countries and caused electronic ordering systems to go dark.

Patients preparing for procedures involving Stryker implants were rescheduled after shipping was disrupted.

But the fallout could have been much worse: The company recovered by early April, and the devices connected to hospitals’ care — used in services from robotic surgeries to imaging — were not attacked.

	State scan

Virginia Gov. Abigail Spanberger (D) vetoed bipartisan legislation that would have created a Prescription Drug Affordability Board (PDAB) in the state, handing a significant defeat to advocates who argued the proposal could help rein in the cost of high-priced medications.

It marks the abrupt end to a five-year effort heavily lobbied against by the pharmaceutical industry, which argued the board would decrease patient access to medicines and harm investment in new treatments.

→ Nearly a dozen other states have enacted their own PDABs, including four that have the ability to set upper payment limits on drugs. Two states, New Hampshire and Ohio, repealed their affordability boards in the years after they’d been created.

The legislation in Virginia, which has evolved from previous attempts, would have effectively extended the “maximum fair price” for medications that are part of Medicare’s drug negotiation program — established by the Inflation Reduction Act — to health insurance plans regulated by the state. It would have also established a PDAB to analyze drug pricing data and develop policy recommendations to "improve affordability" of prescription drugs.

Similar measures had passed the state legislature in previous years, and were both vetoed by Spanberger’s Republican predecessor, Glenn Youngkin in 2024 and 2025.

Spanberger said in a statement accompanying the veto that she shared lawmakers’ goal of lowering prescription drug costs, but concluded that similar boards in other states have “not worked to lower prescription drug prices” and have proven costly and ineffective. She had proposed amendments to the legislation, which the legislature declined to adopt.

The Pharmaceutical Research and Manufacturers of America, the influential industry group representing drugmakers, said Spanberger’s veto reflected “an understanding of the complexity of the pharmaceutical supply chain and the real risks of advancing a state-level approach rooted in federal price-setting policies.”

The group pressed policies targeting insurers and pharmacy benefit managers (PBM), which pharmaceutical companies blame as the culprit for high drug costs. Spanberger, in her veto statement, said she was “proud” to sign measures into law this year that target certain PBM business practices and require insurance companies that operate on the Affordable Care Act marketplace in Virginia to offer plans that cap monthly out-of-pocket costs for drugs.

Consumer advocates, however, expressed their disappointment in the veto.

AARP Virginia State Director Jim Dau called Spanberger’s veto “baffling” given her support for the Inflation Reduction Act, a Biden-era law enacted while Spanberger served in Congress. Dau vowed to “continue fighting” for policies that lower medicine costs. AARP has been one of the most vocal supporters of PDABs around the country.

Consumer group Families USA also lamented the veto and vowed to keep pushing for drug pricing reforms in Virginia.

“This bipartisan legislation would have made Virginia the first state in the nation to systematically extend Medicare’s negotiated drug prices to people in private health plans and in Medicaid automatically, without requiring a lengthy drug-by-drug affordability review,” said Anthony Wright, the group’s executive director.

— Meanwhile, in neighboring Maryland, the state’s PDAB recently approved an upper payment limit for the blockbuster diabetes and weight-loss drug Ozempic, which caps how much state and local governments will pay for the medication in state health plans.

	What We’re Reading

“Virginia Gov. Spanberger vetoes bill to build legal marijuana market,” The Post’s Gregory S. Schneider writes.

“White House resisted letting doctor with Ebola return to U.S.,” Lena H. Sun and Lauren Weber report in an exclusive for The Post.

“NIH behind in filling top roles, with 15 of 27 institutes led by acting directors,” STAT’s Anil Oza reports.

“Abortion clinic protesters eligible for payouts from new Trump ‘anti-weaponization’ fund,” Alice Miranda Ollstein writes at Politico.

“Trump administration expects to strip hundreds at US health agencies of job protections,” reports Ahmed Aboulenein at Reuters.

This newsletter is published by WP Intelligence, The Washington Post’s subscription service for professionals that provides business, policy and thought leaders with actionable insights. WP Intelligence operates independently from The Washington Post newsroom. Learn more about WP Intelligence.