WASHINGTON, DC – Ransomware attacks on healthcare businesses surged 30% in the first nine months of 2025, according to new research from Comparitech's worldwide ransomware tracker. While direct attacks on hospitals, clinics, and care providers held steady at 293 incidents (similar to 2024), attackers increasingly targeted healthcare businesses—pharmaceutical manufacturers, medical billing providers, and healthcare tech companies—with 130 attacks representing a dramatic escalation.
This shift in attack patterns reveals a more sophisticated threat landscape. Rather than directly targeting individual healthcare providers with robust cybersecurity defenses, attackers are exploiting third-party vendors that service multiple healthcare organizations. When a single billing processor or technology vendor is compromised, hundreds or thousands of healthcare providers and millions of patients can be affected simultaneously.
The implications ripple far beyond immediate ransomware payments. Patient medical records are exposed, healthcare operations are paralyzed for days or weeks, regulatory penalties mount, class-action lawsuits proliferate, and cyber insurance premiums skyrocket. For patients, the attacks mean medical data breaches, delayed care, and increased identity theft risk. For healthcare organizations, they mean operational crises and financial devastation.
The Numbers Behind the Healthcare Ransomware Crisis
Attack Volume and Targets
423 total ransomware attacks on healthcare entities in the first nine months of 2025:
- 293 attacks on healthcare providers (hospitals, clinics, physician offices)
- 130 attacks on healthcare businesses (vendors, tech companies, billing processors)
30% increase in attacks on healthcare businesses year-over-year, representing a strategic shift by ransomware groups.
Healthcare is now the third most-targeted industry, behind only manufacturing and scientific research, according to Black Kite Security's 2025 report.
257 attacks on providers in the U.S. specifically, making America the primary target with 62% of global healthcare ransomware attacks occurring domestically.
Data Breaches and Records Exposed
Over 6 million records breached in confirmed attacks on healthcare businesses in 2025, though the true number is likely far higher as many breaches go unreported or unconfirmed.
585 healthcare data breaches reported to the Department of Health and Human Services in 2024—a 110% increase from 278 breaches in 2023, according to Black Kite Security.
190 million victims affected by the landmark United Healthcare Change Healthcare ransomware attack in February 2024, which has become the largest healthcare data breach in U.S. history.
Average of 1,925 weekly cyberattack incidents globally in Q1 2025, up 47% from previous periods, with healthcare, education, government, and telecommunications bearing the brunt.
Financial Impact
$532,000 average ransom demand for healthcare ransomware attacks in 2025, though actual payments vary widely (some organizations pay nothing, others pay millions).
$44.5 million average cost to recover from a healthcare ransomware attack when accounting for downtime, remediation, legal fees, regulatory penalties, and lost revenue—not just the ransom payment.
Business interruption losses dominate: Downtime costs exceed the actual ransom in most cases, with hospitals losing $50,000-$100,000+ daily when critical systems are offline.
Cyber insurance premiums surging: Healthcare organizations face 20-40% premium increases at renewal, with some facing non-renewal or drastically reduced coverage limits after claims.
Why Healthcare Is a Prime Ransomware Target
Ransomware groups don't attack randomly—they select targets based on likelihood of payment, ease of breach, and potential damage. Healthcare checks every box.
Critical Operations Cannot Tolerate Downtime
Life-or-death stakes: Unlike retailers or manufacturers that can tolerate days or weeks of downtime, healthcare providers face immediate consequences when systems go offline. Surgeries are canceled, emergency departments divert ambulances, patient care is compromised.
Pressure to pay quickly: The urgency to restore systems creates immense pressure to pay ransoms. Attackers know hospitals and clinics will prioritize patient safety over financial considerations, making healthcare organizations more likely to pay—and pay fast.
Example - Scripps Health (2021): The five-hospital system in San Diego was offline for nearly a month after a ransomware attack, costing an estimated $113 million in recovery and lost revenue. The incident demonstrates the catastrophic operational and financial impact even when ransoms aren't paid (Scripps refused to pay).
Valuable Data
Medical records fetch high prices: On dark web marketplaces, complete medical records sell for $250-$1,000 each, compared to $5-$50 for credit card numbers. Medical records contain everything needed for identity theft: Social Security numbers, addresses, dates of birth, insurance information, medical histories, and financial data.
Persistent value: Credit cards can be canceled; medical records cannot. The information retains value indefinitely for fraud and identity theft.
Blackmail potential: Beyond selling data, attackers threaten to publicly release sensitive medical information (HIV status, mental health records, substance abuse treatment, reproductive health), creating reputational and privacy nightmares for victims.
Vulnerable IT Infrastructure
Legacy systems: Many healthcare organizations run outdated software and operating systems that are no longer supported or patched. EHR (electronic health record) systems may run on Windows Server 2008 or similarly ancient infrastructure with known, unpatched vulnerabilities.
Medical device vulnerabilities: Connected medical devices (infusion pumps, imaging equipment, patient monitors) often run embedded operating systems that cannot be easily patched and create entry points for attackers.
Limited IT security budgets: Healthcare organizations operate on thin margins and historically underfund cybersecurity compared to other industries. A regional hospital may have 2-3 IT security staff protecting systems used by thousands of employees and containing millions of patient records.
Complex networks: Healthcare networks are vast and complex, connecting hospitals, clinics, pharmacies, insurance partners, and third-party vendors. Each connection point is a potential vulnerability.
Third-Party Vendor Vulnerabilities
The 2025 shift: Attackers have pivoted to targeting third-party vendors that serve multiple healthcare organizations, creating "one-to-many" attack scenarios where breaching a single vendor compromises dozens or hundreds of healthcare providers simultaneously.
Why this is effective:
- Vendors often have direct system access to multiple healthcare organizations
- A single breach spreads across the entire client base
- Vendors may have weaker security than major hospital systems
- The vendor's clients all simultaneously face operational disruption
Change Healthcare example: The February 2024 Change Healthcare ransomware attack (a UnitedHealth Group subsidiary) affected thousands of pharmacies, hospitals, and medical practices nationwide. Change Healthcare processes approximately 15 billion healthcare transactions annually—about 1 in 3 patient records in America flows through their systems. When they were breached, the entire healthcare ecosystem felt the impact.
Regulatory and Reputational Pressures
HIPAA violations and penalties: Ransomware attacks that expose patient data typically result in HIPAA violations. HHS Office for Civil Rights can impose penalties up to $50,000 per violation, with annual maximums reaching $1.5 million per violation category.
Class-action lawsuits: Patients whose data is breached routinely file class-action lawsuits. These settlements often reach millions or tens of millions of dollars.
Reputational damage: Healthcare data breaches erode patient trust. Organizations publicly known for data breaches face patient attrition, negative media coverage, and damaged community relationships.
Regulatory scrutiny intensifies: After major breaches, healthcare organizations face years of heightened regulatory oversight, required security audits, and compliance monitoring.
The New Attack Pattern: Third-Party Vendors
The 30% surge in attacks on healthcare businesses (vs. providers) signals a strategic evolution in ransomware tactics.
Why Attackers Target Vendors
Multiplier effect: Compromising one vendor can impact dozens or hundreds of healthcare organizations simultaneously. Instead of breaching 50 hospitals individually, attackers breach the vendor those 50 hospitals use for billing, EHR, or IT services.
Lower security standards: Third-party vendors often have weaker cybersecurity than major hospital systems. A small medical billing company processing records for 30 clinics may lack the security resources of a large hospital system.
Access to multiple organizations: Vendors typically have privileged access to their clients' systems—direct connections to EHRs, billing systems, and patient databases. When the vendor is compromised, attackers inherit that privileged access to all client systems.
Shared systems amplify damage: When a vendor's platform goes offline, all their clients lose functionality simultaneously. A ransomware attack on a medical billing vendor can paralyze billing operations for hundreds of medical practices in a single stroke.
High-Profile Third-Party Attacks
Change Healthcare (February 2024): The UnitedHealth Group subsidiary was hit by ransomware, affecting thousands of pharmacies, hospitals, medical practices, and ultimately 190 million patients. The attack disrupted prescription processing nationwide, delayed insurance claims payments totaling billions of dollars, and cost UnitedHealth an estimated $2.3 billion in recovery costs, fines, and settlements.
Synnovis (2024, UK): The pathology services provider was attacked by the Qilin ransomware group, which demanded $50 million. The attack disrupted blood transfusions, cancer treatments, and pathology services across multiple UK hospitals for weeks.
Allianz Life cyberattack (2024): A third-party vendor vulnerability led to the Allianz Life data breach affecting customer information.
American Income Life data breach (2024): 150,000 customers had data exposed in a breach of a third-party vendor system.
The Cascading Effect
When a third-party vendor is breached, healthcare providers face:
Immediate operational disruption: Systems go offline. Electronic health records become inaccessible. Billing stops. Appointments may need rescheduling.
Data breach notification obligations: Even though the provider wasn't directly attacked, they must notify affected patients, HHS, and potentially media if the breach affects 500+ patients.
HIPAA liability: Healthcare providers are responsible for ensuring their vendors comply with HIPAA. A vendor breach can result in HIPAA penalties for the provider.
Patient backlash: Patients often blame their doctor's office or hospital, not the abstract third-party vendor they've never heard of.
Litigation risk: Providers can be named in class-action lawsuits alongside or instead of the breached vendor.
Business Interruption: The Hidden Cost
While ransom demands average $532,000, the true cost of healthcare ransomware attacks is operational downtime.
How Ransomware Shuts Down Healthcare Operations
Electronic health records (EHR) inaccessible: When EHR systems are encrypted or offline, clinicians cannot access patient histories, allergies, medications, prior test results, or treatment plans. Care quality plummets, and safety risks escalate.
Reversion to paper charts: Healthcare organizations often revert to manual, paper-based processes. This is slow, error-prone, and cannot scale. Staff accustomed to electronic workflows struggle with paper, leading to mistakes and massive inefficiency.
Diagnostic and treatment delays: Radiology systems (PACS), laboratory information systems, and pharmacy systems may be offline, delaying diagnoses and treatments. Cancer patients miss chemotherapy appointments. Surgery schedules are canceled.
Emergency department impact: EDs may go on "diversion," redirecting ambulances to other hospitals because they cannot safely treat emergency patients without access to critical systems.
Revenue loss: Every day systems are offline, healthcare organizations lose revenue. They can't bill for services, process insurance claims, or schedule appointments. Hospitals can lose $1-$3 million per day during major outages.
Real-World Downtime Examples
Scripps Health (2021): Nearly 30 days of downtime. Estimated $113 million total impact. The organization refused to pay the ransom but spent months recovering systems, restoring data from backups, and dealing with operational disruption.
Universal Health Services (2020): 400+ hospitals and care facilities across the U.S. were affected by ransomware, causing weeks of system outages. The estimated recovery cost exceeded $67 million.
Ireland's Health Service Executive (2021): Entire national healthcare system was crippled, forcing cancellation of appointments, surgeries, and diagnostic services across the country for weeks. The ransomware group eventually provided decryption keys without payment due to public pressure.
The "Domino Effect" Across Healthcare Ecosystems
Pharmacies can't fill prescriptions: When insurance claim processing systems (like Change Healthcare) are down, pharmacies can't verify coverage or process claims, forcing patients to pay out-of-pocket or go without medications.
Physician practices can't submit claims: Medical practices that rely on third-party billing companies can't submit insurance claims, cutting off their revenue streams. Many small practices faced cash flow crises during the Change Healthcare attack.
Insurance companies can't pay claims: When clearinghouses or processors are offline, insurance companies can't receive or process claims, delaying reimbursements to providers and payments to patients.
Patients face care disruptions: Canceled appointments, delayed test results, inability to fill prescriptions, and forced transfers to other facilities create real harm to patient health outcomes.
How Healthcare Organizations Are Responding
Facing escalating attacks, healthcare organizations and the industry overall are implementing stronger defenses—though progress is uneven.
Enhanced Cybersecurity Measures
Zero-trust architecture: Implementing "never trust, always verify" models where every user, device, and application must be continuously authenticated and authorized.
Network segmentation: Isolating critical systems (EHR, billing, imaging) from less critical systems and from the internet to limit ransomware spread.
Multi-factor authentication (MFA): Requiring MFA for all system access, particularly for privileged accounts and remote access.
Endpoint detection and response (EDR): Deploying advanced endpoint security that detects and responds to threats in real-time rather than relying solely on signature-based antivirus.
Email security: Implementing advanced email filtering with link sandboxing and attachment analysis to block phishing emails, which remain the primary attack vector.
Regular patching and updates: Establishing rigorous patch management programs to close known vulnerabilities before attackers exploit them.
Third-Party Risk Management
Vendor security assessments: Healthcare organizations are conducting thorough security evaluations of vendors before engagement and ongoing assessments during the relationship.
Contractual security requirements: Including specific cybersecurity standards in vendor contracts, with audit rights and breach notification requirements.
Business Associate Agreements (BAAs): Ensuring all vendors with access to protected health information sign BAAs specifying HIPAA obligations, liability allocation, and breach protocols.
Vendor monitoring: Continuously monitoring vendor security posture using third-party risk management platforms.
Breach response planning: Creating incident response plans that specifically address third-party breaches and coordinated response with vendors.
Backup and Recovery
Immutable backups: Creating backups that cannot be altered or encrypted by ransomware, stored offline or in air-gapped environments.
Regular backup testing: Conducting frequent restore tests to ensure backups are functional and recovery times are acceptable.
Recovery time objectives (RTOs): Establishing clear targets for how quickly critical systems must be restored and investing in technology and processes to meet those targets.
Cyber resilience planning: Developing playbooks for operating in degraded states (paper charting, manual processes) when systems are offline.
Cyber Insurance
Market evolution: The cyber insurance market for healthcare is tightening. Insurers are demanding specific security controls as coverage prerequisites, including MFA, EDR, network segmentation, and regular vulnerability scanning.
Higher premiums: Healthcare organizations face 20-40% premium increases year-over-year, with some facing 100%+ increases or non-renewal after claims.
Sublimits on ransomware: Some policies now cap ransomware coverage at amounts well below overall policy limits, recognizing ransomware as particularly high-frequency, high-severity risk.
Proactive security requirements: Insurers require documented cybersecurity programs, regular penetration testing, incident response plans, and security awareness training as prerequisites for coverage.
What This Means for Patients
Your Medical Data Is at Risk
6.5 million healthcare records were breached in just the first nine months of 2025 in confirmed attacks—the actual number is certainly higher.
190 million affected by Change Healthcare breach alone, meaning if you've received healthcare in the past few years, your data may have been compromised.
What's exposed: Names, Social Security numbers, dates of birth, addresses, insurance information, medical histories (diagnoses, treatments, prescriptions, test results), financial data (credit cards, bank accounts).
Long-term risk: Medical records don't expire. Stolen information can be used for identity theft, insurance fraud, and blackmail years after the breach.
Care Disruptions Are Real
Canceled appointments and surgeries: When hospitals are hit by ransomware, elective surgeries are canceled, specialist appointments are postponed, and care is delayed.
Emergency department diversions: ED closures during attacks force patients to travel farther for emergency care, creating real safety risks, particularly in rural areas or for time-sensitive conditions like strokes and heart attacks.
Prescription delays: When pharmacy systems or insurance clearinghouses are offline, patients face delays filling prescriptions or are forced to pay full out-of-pocket costs.
Test result delays: Ransomware affecting laboratory systems can delay critical test results, including cancer diagnoses, infectious disease tests, and bloodwork.
Increased Insurance and Medical Costs
Cyber insurance costs are passed to consumers: Healthcare organizations facing 30-40% cyber insurance premium increases pass those costs to patients through higher medical bills and insurance premiums.
Breach recovery costs: The tens or hundreds of millions spent on recovery, legal fees, settlements, and system hardening ultimately drive up healthcare costs across the board.
Inefficiency costs: Time spent on manual workarounds during outages reduces productivity and increases administrative overhead, raising healthcare costs.
What You Can Do to Protect Yourself
While you can't prevent healthcare organizations from being attacked, you can minimize your personal risk:
Monitor Your Medical Records and Accounts
Review Explanation of Benefits (EOBs): When you receive EOBs from your insurance company, review them carefully for services you didn't receive. Medical identity theft often appears as claims for services you never had.
Request annual credit reports: Federal law entitles you to free annual credit reports from each of the three credit bureaus. Review for unauthorized accounts or inquiries.
Monitor credit: Consider credit monitoring services that alert you to new accounts, inquiries, or significant changes. Many are free or low-cost.
Check medical records: Periodically request and review your medical records for accuracy. If you find treatments or diagnoses you didn't receive, report it immediately to your provider and insurance company.
Respond Promptly to Breach Notifications
Read breach notices carefully: If you receive notification that your healthcare data was breached, read it completely. It will explain what information was compromised, what the organization is doing, and what you should do.
Take advantage of free services: Many breach notifications include offers of free credit monitoring or identity theft protection for 1-2 years. Enroll in these services.
Place fraud alerts: Consider placing fraud alerts on your credit reports (free and lasts one year), making it harder for identity thieves to open accounts in your name.
Consider credit freezes: For maximum protection, freeze your credit with all three bureaus. This prevents anyone (including you) from opening new credit accounts without unfreezing.
Be Vigilant About Phishing
Healthcare data breaches are often followed by targeted phishing: Attackers use stolen patient information to craft convincing phishing emails or calls claiming to be from your hospital, doctor's office, or insurance company.
Never click links or attachments in unsolicited emails: If you receive an email claiming to be from your healthcare provider asking you to log in, update information, or download an attachment, don't click. Navigate directly to the provider's website or call their official number.
Verify caller identity: If someone calls claiming to be from your healthcare provider or insurance company and asks for personal information, hang up and call the official number yourself to verify.
Ask Healthcare Providers About Security
You have the right to ask: When choosing healthcare providers, you can ask about their cybersecurity practices. Do they use encryption? How do they train staff on security? Have they had breaches?
Consider data minimization: When filling out forms, question whether every data point is truly necessary. The less information you provide, the less can be compromised.
Opt for patient portals carefully: Patient portals provide convenient access to your medical records but are also potential targets. Use strong, unique passwords and enable multi-factor authentication if available.
The Path Forward: Industry and Policy Changes Needed
The healthcare ransomware crisis demands systemic solutions, not just individual organizational responses.
Stronger Federal Cybersecurity Requirements
Mandatory minimum security standards: HIPAA's security requirements are outdated and vague. Updated regulations should mandate specific controls: MFA, EDR, network segmentation, encryption, and regular penetration testing.
Third-party vendor regulations: Federal rules should explicitly hold healthcare organizations accountable for vendor security and require standardized vendor risk assessments.
Breach notification improvements: Current breach notification rules are slow. Requirements should mandate faster notification (within days, not months) and clearer communication about risks and mitigation.
Funding for Healthcare Cybersecurity
Federal grants for small and rural providers: Community hospitals and rural providers lack resources for robust cybersecurity. Federal grant programs could help bridge the gap.
Tax incentives for security investments: Offering tax credits or deductions for qualified cybersecurity investments could encourage healthcare organizations to prioritize security.
HHS cybersecurity resources: Expanding HHS resources to provide technical assistance, threat intelligence sharing, and incident response support to healthcare organizations under attack.
International Law Enforcement Coordination
Most ransomware groups operate from overseas: Effective response requires international cooperation to investigate, prosecute, and dismantle ransomware operations.
Cryptocurrency regulation: Ransomware payments typically occur via cryptocurrency. Stronger regulations on cryptocurrency exchanges could make it harder for attackers to profit.
Sanctions and penalties: Targeting ransomware groups, affiliates, and cryptocurrency services that facilitate attacks with economic sanctions can reduce the financial incentive.
Industry Collaboration
Threat intelligence sharing: Healthcare organizations should share threat intelligence and indicators of compromise through Information Sharing and Analysis Centers (ISACs) to improve collective defense.
Best practices dissemination: High-performing organizations should share effective security strategies with smaller or less-resourced providers.
Coordinated vendor vetting: Industry-wide vendor security standards could reduce the burden on individual organizations and improve overall security.
Key Takeaways
Healthcare ransomware attacks surged 30% in 2025, with attackers increasingly targeting third-party vendors to create cascading breaches affecting multiple healthcare organizations simultaneously.
The financial impact extends far beyond ransom payments: Business interruption costs, recovery expenses, regulatory penalties, and litigation often total tens or hundreds of millions per incident.
Patients face real consequences: Canceled care, prescription delays, exposed medical data, and increased identity theft risk directly harm patient health and financial wellbeing.
The industry is responding but progress is uneven: Large health systems invest heavily in cybersecurity, but small practices and rural hospitals often lack resources for adequate defenses.
Systemic solutions are needed: Federal regulations, industry collaboration, international law enforcement coordination, and funding for under-resourced providers are critical to turning the tide against healthcare ransomware.
The healthcare ransomware crisis is not a future threat—it's a current reality affecting millions of Americans. The 30% surge in attacks on healthcare businesses in 2025 demonstrates attackers are evolving faster than defenses. Until healthcare organizations, regulators, and law enforcement collectively address the problem with urgency and resources, attacks will continue escalating, patient data will remain at risk, and care disruptions will persist.
Concerned about healthcare cybersecurity risks? Whether you're a healthcare provider struggling with cyber insurance requirements or a patient whose data has been breached, understanding the landscape and taking proactive steps can reduce risk and minimize damage. The threat is real, but so are effective defenses.
Sources: Comparitech, BetaNews, Sophos, HIPAA Journal, LinkedIn (Black Kite Security)