TL;DR: Healthcare is under siege. In 2025, ransomware gangs launched 293 attacks on hospitals and clinics, exposing 44.3 million patients' medical records. The attackers are evolving: instead of just encrypting data, they're stealing it for extortion and corrupting backups. Predictions for 2026 are grim: 40% of health systems will be hit, 60% of hospitals will experience care disruptions. The Russian-speaking gangs INC and Qilin lead the assault. Your medical records (diagnoses, medications, mental health history) are being traded on dark web forums right now.
2025: The Numbers
The U.S. Department of Health and Human Services' Office for Civil Rights tracked 605 reported healthcare breaches affecting approximately 44.3 million people in 2025 [1].
293
Ransomware attacks on hospitals, clinics, and direct care providers (first 9 months)
130
Attacks on healthcare businesses (pharma, billing, tech vendors): up 30% from 2024
44.3 Million
Patients whose data was exposed in healthcare breaches
7.4 Million
Records confirmed stolen in ransomware attacks on providers
The Biggest Hits
Yale New Haven Health System: 5.56 Million Patients
On March 8, 2025, Yale New Haven Health detected "unusual activity" on their network. Hackers had already breached the system and were exfiltrating data. The stolen records included names, contact information, demographic data, medical record numbers, and Social Security numbers [2].
5.56 million patients. One of the largest healthcare breaches in U.S. history.
Covenant Health: 480,000 Patients
Covenant Health is currently notifying 480,000 patients of a 2025 data theft. The attack followed the now-standard pattern: infiltrate, exfiltrate, encrypt, extort [3].
NHS Synnovis Attack: Months of Chaos
The Russian-speaking gang Qilin attacked British pathology firm Synnovis in 2024, but the effects cascaded through 2025. The NHS was forced to cancel thousands of appointments. Blood shortages lasted months. Critical lab results were delayed [4].
This is what healthcare ransomware looks like at scale: not just stolen data, but delayed surgeries, missed diagnoses, and preventable deaths.
Who's Attacking
The ransomware ecosystem is dominated by a handful of prolific groups [1]:
| Ransomware Group | Attacks on Healthcare Providers | Confirmed Breaches |
|---|---|---|
| INC | 39 | 15 |
| Qilin | 34 | 14 |
| SafePay | 21 | |
| RansomHub | 13 | |
| Medusa | 13 |
Most of these groups operate from Russia or former Soviet states. Some have explicit ties to Russian intelligence. All operate with impunity: Russia doesn't extradite hackers.
How Attacks Are Changing
Ransomware isn't what it was five years ago. The tactics have evolved [1][5]:
Less Encryption, More Extortion
Data encryption fell to just 34% of attacks, down from 74% in 2024. Only a third of attackers bother to lock up files anymore.
Why? Because stealing data is more profitable than encrypting it. Hospitals will pay to keep patient records off the dark web even if systems are still functional.
Backup Destruction
Attackers increasingly target and corrupt backup systems before launching visible attacks. When victims try to restore from backups, they find the backups are compromised too.
AI-Enabled Speed
The time from initial network access to full-scale attack is compressing. AI tools help attackers move faster, automate reconnaissance, and identify high-value targets within hospital networks. Expect this to accelerate in 2026 [5].
Supply Chain Targeting
Attacks on healthcare vendors rose 30% in 2025. Instead of hitting one hospital, attackers compromise a billing provider or software vendor that serves dozens of health systems.
The Money
Ransom economics shifted dramatically in 2025 [1]:
- Average demand: $514,000 (down from $4 million in 2024)
- Average payment: $150,000 (down from $1.47 million)
- Payment rate: 36% of victims paid (down from 61% in 2022)
Hospitals are paying less often. But attackers are compensating by hitting more targets. Volume over value.
The real cost isn't the ransom: it's the aftermath. Average data breach cost in healthcare exceeds $12 million when you factor in investigation, notification, legal fees, regulatory fines, and reputational damage [5].
2026: What's Coming
Security researchers predict 2026 will be worse [5]:
40%
Of health systems will experience ransomware attacks in 2026
60%
Of hospitals will face care disruptions from cyber incidents
$12M+
Average breach cost predicted to exceed $12 million
AI-Speed
Automated attacks will compress timelines from weeks to hours
Experts anticipate "more disruptive attacks masquerading as traditional ransomware events": attackers who don't just encrypt, but corrupt clinical systems, damage infrastructure, and deliberately prolong downtime [5].
Healthcare remains the most-attacked industry. And it's getting worse.
Why Healthcare?
Hospitals are perfect targets:
- Life-or-death pressure: When systems go down, patients can die. That creates urgency to pay.
- Legacy systems: Healthcare runs on outdated software. Many hospitals still use Windows 7 or older systems that can't be patched.
- Connected everything: Medical devices, IoT sensors, third-party systems: each is a potential entry point.
- Valuable data: Medical records sell for more than credit cards on dark web markets. A complete health record enables identity theft, insurance fraud, and blackmail.
- Regulatory burden: HIPAA breach notifications create additional pressure. Public exposure of a breach triggers lawsuits.
And there's no cavalry coming. Most hospitals operate on thin margins. Cybersecurity budgets compete with patient care. It's not a fair fight.
What This Means for You
If you've received medical care in the United States in the past decade, there's a reasonable chance your health records have been compromised at some point.
Stolen medical data can be used for:
- Insurance fraud: Criminals file claims using your identity
- Prescription fraud: Obtaining controlled substances in your name
- Identity theft: Medical records contain SSNs, addresses, and family information
- Blackmail: Mental health records, HIV status, and other sensitive diagnoses
- Medical identity theft: Someone else receives treatment under your name, corrupting your medical history
What You Can Do
Monitor Your Benefits
Check your insurance Explanation of Benefits statements. Any services you didn't receive? That's a red flag for medical identity theft.
Request Your Records
Under HIPAA, you have the right to access your medical records. Request them annually and look for unfamiliar entries.
Freeze Your Credit
Medical data enables financial identity theft. Freeze your credit at all three bureaus to prevent new accounts.
Accept Breach Monitoring
When healthcare providers offer free credit monitoring after a breach, take it. It's not perfect, but it's an additional layer.
The Systemic Problem
Individual vigilance isn't enough. This is a systemic failure:
- No federal cybersecurity mandate: Healthcare providers aren't required to meet minimum security standards
- Underfunded IT: Many hospitals can't afford dedicated security teams
- Vendor sprawl: Average hospital connects to hundreds of third-party systems
- No international enforcement: Ransomware gangs operate freely from Russia
Until there's real accountability (mandatory security standards, international prosecution, and meaningful penalties for negligence), the epidemic will continue.
References
- Industrial Cyber: Healthcare ransomware attacks surge 30% in 2025
- Bank Info Security: 2025 in Health Data Breaches and Predictions for 2026
- Bank Info Security: Covenant Health Notifying 480K Patients of 2025 Data Theft
- JAMA Network Open: Ransomware Attacks and Data Breaches in US Health Care Systems
- ScienceSoft: Ransomware Tops Growing Cyber Threats in Healthcare
- HIPAA Journal: Healthcare Data Breach Statistics