The Cherry Street Health Services ransomware attack in 2023 affected 184,372 patients across Michigan — one of the largest healthcare data breaches of that year. Cherry Street is a Federally Qualified Health Center. It serves uninsured and underinsured patients across 15 sites. It does not have a CISO, a security operations center, or an enterprise IT budget.
It had what most FQHCs have: a small IT team doing their best with the resources a Section 330 grant-funded organization can afford, in a regulatory environment that mandates HIPAA compliance but does not provide the funding to achieve it.
This is not a Cherry Street problem. It is a sector problem — and the evidence supports a stark conclusion: FQHCs are among the most under-defended targets in healthcare cybersecurity, and attackers know it.
The Evidence: Why FQHCs Are Specifically Targeted
The Treasure-to-Defense Ratio Is Unmatched
A Federally Qualified Health Center serves, on average, between 3,000 and 50,000 patients per year. It holds complete medical records: diagnoses, medications, mental health history, substance use treatment records (protected by 42 CFR Part 2 in addition to HIPAA), reproductive health records, immigration-sensitive information, and social determinants of health data.
This data has significant dark web value. Medical records sell for approximately $250–$1,000 each — far more than credit card numbers — because they enable long-duration identity fraud and are difficult to cancel.
Against that treasure, the typical FQHC defense is: a shared IT staff member (often managing multiple health center responsibilities), basic antivirus, a firewall, and annual HIPAA training.
The treasure-to-defense ratio — high-value data, minimal security infrastructure — is what makes FQHCs attractive targets.
Ransomware Groups Explicitly Target Healthcare Safety-Net Organizations
HHS's Health Sector Cybersecurity Coordination Center (HC3) has documented the targeting of community health centers by ransomware groups including LockBit, Hunters International, Cl0p, and ALPHV/BlackCat. These groups conduct reconnaissance before striking — they assess organization size, IT infrastructure complexity, likely insurance coverage, and the political sensitivity of disrupting care for vulnerable populations.
FQHCs check multiple target criteria: they serve populations whose care disruption has high political visibility (increasing pressure to restore operations quickly), they have limited backup and recovery infrastructure, and they typically lack the incident response resources to contain an attack quickly.
The HIPAA Enforcement Gap in Safety-Net Healthcare
OCR's enforcement resources are finite. For most of its enforcement history, OCR has concentrated on larger covered entities with significant breach events. FQHCs — as small covered entities with limited visibility — have historically received less OCR scrutiny.
The 2026 enforcement expansion changes this. OCR has explicitly stated that its risk analysis and risk management enforcement initiative targets organizations across all size categories. FQHCs are covered entities. They are in scope.
The Resource Reality: Why FQHCs Are Under-Defended
The gap between what FQHCs need for adequate cybersecurity and what they can afford from Section 330 grant funding is real. A hospital with a $500 million annual operating budget can invest $10–$15 million in security — roughly the industry benchmark of 10% of IT budget for healthcare. An FQHC with a $5 million annual budget cannot.
The result: FQHCs routinely operate without:
- Endpoint detection and response (EDR) — the behavioral threat detection tool that catches ransomware before it fully executes
- 24/7 Security Operations Center monitoring — meaning nights and weekends, when attacks occur, have no coverage
- Advanced email security — despite phishing being the primary ransomware delivery mechanism
- Immutable backups — the technology that enables ransomware recovery without paying
- Documented risk analyses — the HIPAA-required foundation of every compliance program
These are not luxuries. They are the basic infrastructure of a defensible security posture. And FQHCs consistently lack most or all of them.
What a Ransomware Attack Means for an FQHC's Patients
FQHCs serve patients who cannot access care elsewhere — uninsured individuals, Medicaid beneficiaries, homeless populations, migrant farmworkers, patients in rural areas with no alternative provider. When an FQHC's systems go down, many of these patients have nowhere else to go.
A ransomware attack that locks an FQHC's EHR, scheduling system, and pharmacy coordination tools is not just an IT incident. It is a public health event. Patients who cannot refill prescriptions, who cannot access mental health services, who cannot access chronic disease management care — during a ransomware recovery period that can last weeks — experience real health consequences.
This is the full cost of under-investment in FQHC cybersecurity: not just the financial and regulatory exposure of a breach, but the care disruption for the communities these organizations exist to serve.
The 2026 Mandate: What FQHCs Must Have
The 2026 HIPAA Security Rule update creates mandatory requirements that FQHCs, as covered entities, must meet:
- Encryption of ePHI at rest and in transit on all systems and devices
- Multi-factor authentication for all accounts with ePHI access
- Biannual automated vulnerability scanning
- Annual penetration testing
- 72-hour internal breach notification procedures
These are not aspirational standards. They are legal requirements with enforcement consequences.
The good news is that FQHC-appropriate managed cybersecurity — services sized and priced for community health centers — can deliver all five requirements as a managed service, at a cost that fits within HRSA 330 grant allowable expenses.
What Needs to Change
HRSA should explicitly recognize cybersecurity as a funded allowable cost. Section 330 grant guidance allows for "administrative and indirect costs" that support operations. HIPAA-required security controls are operational necessities. HRSA should issue explicit guidance recognizing cybersecurity managed services as allowable costs under 330 grants.
FQHCs should pool cybersecurity purchasing through Primary Care Associations. State PCAs can negotiate group purchasing agreements for cybersecurity services — reducing per-organization cost through collective volume. This model has worked for EHR purchasing and clinical quality programs; it can work for cybersecurity.
Federal support for FQHC cybersecurity should match the mandate. The 2026 HIPAA Security Rule update imposes new requirements on FQHCs without providing additional funding. Congress should authorize grant programs specifically for FQHC cybersecurity infrastructure.
FQHCs deserve enterprise-grade cybersecurity at community health center pricing. ShieldForce provides HIPAA-ready managed cybersecurity specifically designed for FQHCs and community health centers — including Section 330-aligned documentation.
Explore Community Health Center Solutions →
Start with a free HIPAA risk assessment for your health center.