Large ransomware attacks — in which hackers encrypt hospitals' data, then make them pay to de-encrypt it — aren't always reported to the Health and Human Services Department. The Wall Street Journal has an interesting dive into the reporting rules for health-care hacks, which only require companies to notify HHS when patients' medical or financial data has been exposed.

Why it matters: Hospitals don't want the expensive black eye that can come with the public disclosure of a big data breach. But public reporting is one of the key ways that hospitals learn from each other's misfortunes. In a field that's incredibly vulnerable to cyberattacks, striking that balance is critically important.