Cybersecurity in medical billing: Protecting patient data in the age of AI

This post is the second installment of the Medical Biller's Triple Threat series that explores how billing leaders are navigating AI, compliance, and cybersecurity.

Billing companies hold vast amounts of protected health information (PHI) and financial data — making them prime targets for increasingly sophisticated cyberattacks. With HIPAA enforcement entering a new era through proposed 2025 Security Rule updates, and attackers now using AI to enhance phishing attempts, cybersecurity has shifted from an IT concern to business-critical priority.

According to Tebra's 2024 survey of medical billing professionals, gaps exist with cybersecurity preparedness:

Of respondents, 83% also express concern about a breach's financial or reputational impact.

Here's how billing leaders are building layered defenses — ones that not only protect against evolving cyber threats but also position their companies as trusted partners.

Modern cybercriminals are targeting medical billing companies with increasingly complex methods, and some are beginning to layer in AI to mimic tone, target at scale, and make phishing attempts harder to spot.

Here are some top threats to watch out for:

The United States Office of Civil Rights (OCR) has seen a sharp increase in reports of large breach reports received over the last 5 years. Reports of large breaches increased by 102% from 2018 to 2023, and the number of individuals affected by such breaches increased by 1002%. 

To respond to this substantial increase of reports, OCR issued proposed changes that would fundamentally change HIPAA Security Rule requirements. Some of the proposed updates include:

These changes represent the most substantial HIPAA security updates in nearly 2 decades, with compliance timelines that will require immediate action from billing companies once finalized.

Aimee Heckman, Director of Revenue Cycle Management at Ash Business Solutions, emphasizes the urgency: "It has been nearly 20 years since the HIPAA Security Rule had any significant updates — but that's changing in 2025. Billing companies must act now to protect ePHI and avoid costly audits or breaches."

The most effective cybersecurity approach involves multiple protective measures working together. Build a robust cybersecurity posture with these 3 layers:

Alexis Marshall, Client Solutions Manager at Medical Billing Strategies, describes her team's comprehensive strategy: "We've embedded phishing alerts, cloud-based sharing, and file access controls across the board — so even if one point fails, the others hold."

Aimee Heckman offers a practical approach for billing companies working with limited resources: "Start with the basics — email filtering, antivirus, and regular updates — then layer on affordable support like using MSSPs, quarterly phishing training, and a clear breach response plan."

Here's further guidance on each of the basics:

Once fundamental protections are in place, you can join proactive billing companies who are incorporating AI into their cybersecurity strategies. AI solutions can help security systems:

In 2025, cybersecurity should be treated as a core business risk rather than an IT afterthought. Building layered defenses is the most effective way to avoid costly breaches, meet rising HIPAA standards, and protect the client trust that drives business growth.

As cyber threats continue evolving and regulatory scrutiny intensifies, implementing proactive security measures become non-negotiable for long-term business sustainability.

Download our complete guide to facing the triple threats in medical billing for 2025: AI and automation, cybersecurity risks, and increasing regulatory scrutiny. Get expert strategies from industry leaders who are successfully building resilient, secure billing operations.