Skip to content
Security & Trust

Healthcare Websites on WordPress: Patient Data Behind 18,005 CVEs

Medical practices, hospitals, and health systems running patient-facing services on the web's most-attacked framework.

· 6 min read
Share on X LinkedIn
Healthcare Websites on WordPress: Patient Data Behind 18,005 CVEs

The Healthcare Web Problem

A significant percentage of healthcare provider websites run WordPress — appointment scheduling, patient portals, telehealth intake forms, prescription refill requests. These sites handle protected health information (PHI) regulated by HIPAA and equivalent laws globally.

They're running on a framework with 18,005 known vulnerabilities.

The Compliance Gap

HIPAA requires 'reasonable and appropriate safeguards' for PHI. Running patient-facing services on a framework that averaged 11+ new vulnerabilities per day in 2025 raises serious questions about what's 'reasonable.'

$50,000 - $1.5 million
Average HIPAA violation fine
Source: HHS Office for Civil Rights published HIPAA penalty tiers. 45 CFR 160.404. Adjusted for inflation.
$10.9 million
Healthcare data breach average cost
Per incident. Highest of any industry for 13 consecutive years (IBM Cost of Data Breach Report).

The Plugin Problem in Healthcare

Healthcare WordPress sites typically run appointment booking plugins, HIPAA-compliant form plugins, patient portal integrations, and EHR connectors. Each of these plugins handles sensitive data. Each is an independent codebase with its own security profile.

When a booking plugin has a vulnerability, patient appointment data is exposed. When a form plugin is compromised, intake questionnaires — containing medical history, insurance information, and personal identifiers — are at risk.

The Regulatory Direction

Healthcare regulators globally are tightening requirements around digital infrastructure security. The EU's NIS2 directive, updated HIPAA enforcement priorities, and state-level health data privacy laws all point in the same direction: organizations must demonstrate proactive security posture, not just incident response.

Running patient services on a framework that requires constant patching against a stream of new vulnerabilities is increasingly difficult to defend as 'proactive.'

The Alternative Is Not Theoretical

A healthcare provider website on Astro (score: 84/100) or Hugo (score: 75/100) with a headless CMS for content management and a HIPAA-compliant API backend for patient data: zero plugin attack surface, zero PHP vulnerabilities, minimal server-side exposure. The compliance posture is categorically stronger.

This isn't about technology preference. It's about fiduciary responsibility to patients whose data you hold.

Related industries
Share this insight