UHS A.I CyberSecurity Scoring
UHS
Company Information
Website:http://www.unchealthse.org
Employees number:266
Number of followers:888
NAICS:62
Industry Type:Hospitals and Health Care
Homepage:unchealthse.org
UHS Risk Score (AI oriented)
Between 750 and 799
UHSHospitals and Health Care
Updated:
08/03/2026
08/03/2026
753/1000
Fair
Baa
UHS Global Score (TPRM)
xxxx
UHSHospitals and Health Care
Score locked

UHSFair
Current Score
753Baa (FAIR)
01000
1 incidents
-11 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
754
JUNE 2026
753
MAY 2026
753
APRIL 2026
753
MARCH 2026
753
FEBRUARY 2026
764
Vulnerability
04 Feb 2026 • UHS
Southeastern U.S. Hospital: HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital
HHS-OIG Audit Reveals Critical Web Application Security Gaps at Major U.S. Hospital
753
CRITICAL-11
UNC1770223081
HHS-OIG Audit Reveals Critical Web Application Security Gaps at Major U.S. Hospital
A recent audit by the Department of Health and Human Services Office of Inspector General (HHS-OIG) uncovered significant security vulnerabilities in internet-facing applications at a large Southeastern U.S. hospital, raising concerns about similar risks across the healthcare sector. The audit, conducted to evaluate cybersecurity controls, continuity of care during cyberattacks, and protection of Medicare enrollee data, found that while the hospital had implemented foundational safeguards, critical weaknesses persisted.
The 300+ bed hospital, part of a network sharing protected health information (PHI), adhered to the HITRUST Common Security Framework (CSF) v9.4 and HIPAA Rules for compliance. However, penetration tests and vulnerability assessments on four of its web applications revealed exploitable flaws:
- Credential Capture & Account Compromise: HHS-OIG successfully obtained login credentials via a phishing simulation, with 108 of 2,171 recipients (6%) clicking the malicious link and one user submitting credentials. While the compromised account lacked direct patient data, it allowed access to device management controls, including the ability to disable multifactor authentication (MFA) and modify account-linked devices.
- Injection Attack Vulnerability: A separate application lacked input validation controls, enabling potential code injection attacks that could manipulate system commands or exfiltrate sensitive data. Despite prior vulnerability scans and third-party tests, the flaw went undetected, and the application lacked a web application firewall (WAF) to block malicious traffic.
The audit resulted in four key recommendations:
1. Strengthen user identification and authentication (UIA) controls for the account management application.
2. Regularly assess and update UIA controls across all systems.
3. Evaluate all web applications for the need for automated protections like WAFs.
4. Expand vulnerability testing to include dynamic, static, and manual application testing.
HHS-OIG did not disclose the hospital’s identity to avoid targeting by threat actors but indicated plans for additional audits to identify systemic issues and improve HHS guidance for healthcare providers.
Industry experts, including Russell Spitler (CEO of Nudge Security), emphasized the shift in healthcare cybersecurity risks, noting that traditional network-focused controls fail to protect cloud-based SaaS applications, where data flows across organizational boundaries. Spitler highlighted the need for comprehensive visibility and strong authentication (e.g., MFA, SSO) to secure evolving attack surfaces.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JANUARY 2026
764
DECEMBER 2025
764
NOVEMBER 2025
764
OCTOBER 2025
764
SEPTEMBER 2025
764
AUGUST 2025
764
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for UHS ??
What was UHS's A.I Rankiteo Cyber Score in June 2026 ??
What was UHS's A.I Rankiteo Cyber Score in May 2026 ??
What was UHS's A.I Rankiteo Cyber Score in April 2026 ??
What was UHS's A.I Rankiteo Cyber Score in March 2026 ??
What was UHS's A.I Rankiteo Cyber Score in February 2026 ??
What was UHS's A.I Rankiteo Cyber Score in January 2026 ??
What was UHS's A.I Rankiteo Cyber Score in December 2025 ??
What was UHS's A.I Rankiteo Cyber Score in November 2025 ??
What was UHS's A.I Rankiteo Cyber Score in October 2025 ??
What was UHS's A.I Rankiteo Cyber Score in September 2025 ??
What was UHS's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on UHS's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with UHS ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view UHS's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?