Healthcare is among the most targeted and vulnerable sectors for cyberattacks. Sexual and reproductive health (SRH) facilities and services in particular face financially motivated ransomware attacks and data breaches, ideologically motivated punitive attacks, and commercialization and misuse of medical and personal data.
A new report published as part of the CLTC White Paper Series, Enhancing Cyber Resilience for Equitable Healthcare: Analysis of Cyberattacks Targeting Sexual and Reproductive Facilities and Services, spotlights the SRH sector’s threat landscape through quantitative and qualitative analysis of cyberattacks and their impacts.
The report was authored by Pavlina Pavlova, a policy expert with a cross-cutting perspective on international cybersecurity and transnational cybercrime. Pavlova was formerly a #ShareTheMicInCyber Fellow at New America in Washington, D.C., a public policy advisor at the CyberPeace Institute, and a cybercrime expert at the UN Office on Drugs and Crime (UNODC) in Vienna. Her report was published as part of the Center for Long-Term Cybersecurity’s 2025 Public Interest Cybersecurity Research Call for Papers and was presented in June at the 2025 Cyber Civil Defense Summit.
A Growing Landscape of Threats
Pavlova’s report is focused on a central question: “How do cyberattacks impact sexual and reproductive health (SRH) facilities and services in the U.S., and what strategies can enhance their cyber resilience to protect both providers and patients, particularly those who are legally, socially, and economically vulnerable?”
To answer this question, Pavlova conducted analysis of data about cyberattacks from public reports, such as those available from the U.S. Department of Health and Human Services Office of Civil Rights Data Breach Portal and HIPAA Journal, as well as personal interviews with frontline defenders and practitioners from SRH facilities. “Interviews were conducted with to provide context and insights into the lived experiences and challenges faced by SRH organizations and their clients,” Pavlova writes.
Sexual and reproductive health (SRH) service providers are particularly at risk, Pavlova explains, because they manage highly sensitive medical and personal data that makes them attractive targets for financially and ideologically motivated threat actors. “This high-value data, combined with the stigma and political controversy that leaks could cause, increases the risk and impact of cyberattacks and other technology-facilitated attacks,” she writes.
Perpetrators’ motivation ranges from financial extortion to punitive attacks and hacktivism, and SRH service providers face risks such as double and triple extortion (where perpetrators exfiltrate data, threaten to leak it, and pressure the victims) and data misuse (including unauthorized access, sharing, or exploitation of medical records). Cyberattacks on SRH organizations can include hack-and-leak operations, distributed denial of service (DDoS) attacks, digital harassment (such as doxxing, targeted intimidation, and surveillance), misinformation, and smear campaigns.
“Combined with growing volumes of purposefully leaked sensitive data, aggressive extortion practices are likely to become more frequent, with criminals potentially revisiting previously exploited data,” Pavlova writes. “The SRH data is further vulnerable to misuse in targeted attacks against patients and staff and potential legal actions against them.”
The exposure is compounded for individuals facing legal and political risks (such as abortion seekers in restrictive states), social stigmatization (for example, patients seeking abortions or IVF, or LGBTQ+ individuals seeking gender-affirming care), and economic or geographic marginalization (including rural populations, minors, and low-income individuals). “Technical, structural, legal, social, and individual factors create an environment of digital, psychological, and physical insecurity for SRH staff and patients,” she explains. “The downstream effects are disproportionately experienced by vulnerable groups already facing barriers to accessing healthcare. Data-exploiting attacks can traumatize victims and lead to long-term harms, including withdrawal from using SRH services.”
Recommendations
Pavlova’s report includes several key recommendations for policymakers to bolster the cybersecurity of the SRH sector. For example, she calls for “stronger regulation and privacy for medical data at the federal level, improved data security practices, and updated definitions of informed consent” to help secure patient data.
She also argues that lawmakers should include SRH services within the broad definition of critical infrastructure. “The complex and evolving SRH threat landscape calls for robust policy interventions that comprehensively address data protection and privacy, cybersecurity posture and preparedness, and incident response protocols,” she writes. “Federal policy must explicitly recognize SRH as an essential component of national critical infrastructure, ensuring its inclusion in national security frameworks and emergency preparedness plans, and prioritizing its protection.”
She also calls upon SRH organizations themselves to help address the challenge, for example by sharing information about incidents, implementing stronger baseline cybersecurity, and improving their responses to incidents. “Frontline service providers emphasize the need for collaborative approaches, such as improved cooperation among large- and medium-sized organizations in sharing intelligence and indicators around attacks; achieving essential baseline cybersecurity practices, including resilience measures and anti-harassment protections, in small or underfunded SRH facilities; and ensuring adequate incident response planning and recovery,” she writes. “Post-attack recovery efforts must account for operational disruptions, reputational damage, and the psychological toll on staff and patients.”
“This research calls for an urgent expansion of efforts to improve resilience across SRH facilities, particularly as these organizations become increasingly targeted, disputed, and politicized,” Pavlova concludes. “Current data and cybersecurity practices concerning sensitive and personal medical data and healthcare infrastructure are in most cases inadequate and unsustainable. A variety of factors — including extensive data collection, weak SRH-specific data privacy and protection regimes, fragmented regulation that varies by state, lack of government and private-sector coordination that harms especially smaller and under-resourced providers, and gaps in cybersecurity preparedness and resource allocation — translate into an insecure environment. As pressure on the SRH sector grows, strengthening policy and legal frameworks as well as digital defenses through collaborative approaches will be critical to safeguarding patient rights, safety of SRH staff, and the integrity and equity of provided healthcare.”
