Healthcare Under Siege: 47 Ransomware Victims in 30 Days as Patient Safety Crisis Deepens
21 active threat groups. 276 million patient records breached in 2024. Lives hanging in the balance.
The numbers are staggering: 47 healthcare organizations attacked in the last 30 days. But behind each statistic lies a more disturbing reality—patients whose surgeries were postponed, ambulances diverted to overwhelmed emergency rooms, and medical staff reduced to scribbling notes on paper while life-saving monitoring systems sat dark and useless.
Healthcare has become ransomware's deadliest battleground. While other industries measure losses in dollars and downtime, hospitals count them in patient outcomes—and increasingly, in lives lost. As we enter February 2026, the assault on American medical infrastructure shows no signs of abating, with 21 active ransomware operations simultaneously targeting the sector.
This is not a cybersecurity problem. This is a patient safety emergency.
The 30-Day Snapshot: A Sector Under Fire
Our signals intelligence database reveals a disturbing concentration of attacks against healthcare in early 2026:
- 47 confirmed healthcare victims across the United States
- 21 distinct ransomware groups actively targeting the sector
- Most active threat actors: Insomnia, Clop, RansomHouse, Akira, Nitrogen, Qilin, Rhysida
- Average ransom demand: $615,000 for healthcare providers (2025 data)
- Data exfiltration: Over 115 TB stolen from healthcare providers in 2025 alone
The attackers aren't choosing healthcare randomly. They've recognized that medical organizations face a unique calculus: when systems go dark, patients may die. That life-or-death urgency translates directly into higher payment rates and faster negotiations.
When Ransomware Kills: The Patient Safety Crisis
The Mortality Evidence
Research from the University of Minnesota's School of Public Health delivers stark evidence that ransomware attacks directly contribute to patient deaths:
- 20-35% increase in in-hospital mortality for patients admitted during active ransomware attacks
- 42-67 Medicare patient deaths directly attributable to ransomware incidents between 2016-2021
- 81% surge in cardiac arrest cases at hospitals receiving overflow patients from attacked facilities
- Decreased survival rates for cardiac arrest patients at neighboring facilities during attacks
These numbers represent a grim reality: when Hospital A goes offline, Hospitals B, C, and D face patient surges that overwhelm their capacity. The cascade effect degrades care for everyone in the region—not just those directly affected by the attack.
The Cascade of Care Disruption
A University of California San Diego study documented the real-world impact on patient care during ransomware incidents:
- Emergency department wait times spike dramatically
- "Left without being seen" rates increase substantially
- Time-sensitive treatments for stroke, heart attack, and sepsis face dangerous delays
- Manual processes replace electronic safety checks, increasing medication errors
- Imaging and laboratory services grind to a halt
- Pharmacy systems go offline, delaying critical medications
In 2020, an Alabama family sued a hospital after their newborn died following complications allegedly worsened by a ransomware attack that disabled critical monitoring systems during delivery. The case was settled, but raises profound questions about how many similar tragedies go unreported—buried in the chaos of institutions struggling to recover while simultaneously caring for patients.
Why Healthcare Is Under Attack: The Perfect Storm
1. Data Value Supremacy
Protected Health Information (PHI) represents the gold standard of stolen data. Unlike credit card numbers that can be cancelled in minutes, medical records contain immutable personal details—Social Security numbers, insurance information, complete medical histories, and financial data—that enable long-term identity fraud, insurance scams, and targeted attacks for years or decades.
On dark web markets, a complete medical record fetches 10-40 times the price of a stolen credit card number. Attackers know this.
2. Life-or-Death Urgency
When hospital systems go dark, the pressure to pay becomes existential. A retail business can weather downtime. A hospital watching its ICU monitors go black cannot afford that luxury. This urgency translates directly into higher payment rates and faster negotiations—exactly what ransomware operators want.
3. Complex, Legacy Infrastructure
Healthcare networks typically comprise a patchwork of technological debt:
- Legacy medical devices running Windows XP or older operating systems
- Multiple vendor systems with varying security postures
- Interconnected third-party providers for billing, labs, and imaging
- Electronic Health Record (EHR) systems critical to every aspect of care delivery
- Medical IoT devices designed for functionality, not security
Each connection point represents a potential entry vector. Each legacy system represents a vulnerability that may never be patched.
4. Resource Constraints
Many healthcare organizations—particularly smaller practices, rural hospitals, and community health centers—lack dedicated security staff. They operate on thin margins that limit cybersecurity investment, often choosing between new medical equipment and security upgrades. Attackers have noticed this vulnerability gap.
The Threat Landscape: February 2026
Insomnia: The Emerging Healthcare Predator
A newly prominent group discovered in February 2026 has emerged with aggressive healthcare targeting that demands attention:
- Total victims: 18 organizations (9 confirmed healthcare)
- Healthcare focus: 50% of all victims are medical providers
- Average attack-to-disclosure delay: 67.9 days
- Contact method: TOX messaging
Recent Insomnia healthcare victims include:
- Advanced Healthcare Professionals
- Carlyle Senior Care of Florence
- Internal Medicine of Milford
- Flint Hills Dialysis
- Southern Illinois Dermatology
- SchureMed
- Optimum Health Institute
- Tri-Cities Gastroenterology
- Anatomic Clinical Laboratory Associates
The concentration of healthcare targets suggests either deliberate sector focus or a breach-for-hire operation with healthcare-specialized initial access brokers.
Qilin: The Most Prolific Healthcare Threat
Qilin has claimed the title of most prolific ransomware strain targeting healthcare in 2025:
- Healthcare provider attacks: 66 claims, 23 confirmed
- Healthcare business attacks: 30 claims, 11 confirmed
- Data stolen: 14.7 TB across documented attacks
- Notable attacks: Covenant Health (478,200 affected), Shamir Medical Center (8 TB data)
Other Major Threats
INC Ransomware: 19 confirmed attacks on healthcare providers, primarily targeting mid-sized regional health systems.
Medusa: 1.6+ million records breached across healthcare attacks, with ransom demands typically ranging $1-2 million. Notable victims include SimonMed Imaging and Bell Ambulance.
Akira: Focusing on the healthcare supply chain—manufacturers, service providers, and vendors. Over 275,000 records breached via Fieldtex Products attack alone.
Rhysida: Known for demanding premium ransoms from large health systems. Notable demands include $3.09 million from MedStar Health and $1.65 million from Spindletop Center.
Additional active groups: Clop, RansomHouse, Nitrogen, Interlock, SafePay, Sinobi, Black Basta, and KillSec all maintain active healthcare targeting operations.
2024-2025: A Record-Breaking Era for Healthcare Breaches
The Numbers That Define a Crisis
| Metric | 2024-2025 Figure | Context |
|---|---|---|
| Total healthcare breaches | 737 | +44% since 2019 |
| Americans affected | 276+ million | More than 80% of U.S. population |
| Average breach cost | $7.42 million | Highest of any industry |
| Industry ransomware losses | $21.9 billion | Downtime costs alone |
| Organizations reporting financial damage | 75% (2025) | Up from 60% (2024) |
| Average ransom demand (providers) | $615,000 | Down 84% from $3.9M in 2024 |
| Healthcare business attacks | +25% | Year-over-year increase |
The dramatic drop in average ransom demands—from $3.9 million to $615,000—doesn't signal attacker retreat. It reflects a strategic pivot toward volume over value, enabled by Ransomware-as-a-Service (RaaS) models and AI-assisted attacks. More organizations face threats, but each individual attack appears more "affordable"—a dangerous calculus that may increase payment rates.
The Change Healthcare Catastrophe
February 2024's attack on Change Healthcare stands as the largest healthcare data breach in U.S. history—and a case study in cascading failure:
- Attack vector: ALPHV/BlackCat ransomware via compromised credentials lacking MFA
- Data exposed: 190+ million patient records
- Ransom paid: $22 million (confirmed by CEO testimony to Congress)
- Response costs: $2.4 billion and counting
- National impact: Disrupted prescription services nationwide for weeks
The attack demonstrated how a single compromise in the healthcare supply chain can cascade across the entire U.S. medical system. Pharmacies couldn't process prescriptions. Hospitals couldn't verify insurance. Patients faced delays in critical care.
Worse, after paying $22 million, UnitedHealth discovered the attackers had pulled an exit scam. ALPHV took the money and abandoned their affiliate—who still possessed the stolen data and threatened additional leaks.
Other Major 2024-2025 Incidents
- Ascension Health (May 2024): 5.6 million patients affected by Black Basta; ambulance diversions, procedure cancellations, months of recovery
- DaVita (March 2025): 2.7 million patients affected by Interlock ransomware
- Episource (January 2025): 5.4 million patients affected
- SimonMed Imaging (January 2025): 1.3 million affected, $1 million ransom demanded by Medusa
- Frederick Health (January 2025): Nearly 1 million patient records compromised
- Kettering Health (May 2025): System-wide outage affecting 14 Ohio medical centers
HIPAA and Regulatory Implications: The Double Financial Threat
Healthcare organizations face compounded financial exposure from ransomware: the direct costs of the attack plus potential HIPAA enforcement actions and state-level litigation.
HIPAA Breach Notification Requirements
- HHS notification: Within 60 days for breaches affecting 500+ individuals
- Individual notification: Required for all affected patients
- Media notification: Required for breaches affecting 500+ residents of a state
- Documentation: Full breach investigation and remediation records required
HIPAA Penalty Structure
| Tier | Culpability | Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Lack of knowledge | $100-$50,000 | $1.5 million |
| 2 | Reasonable cause | $1,000-$50,000 | $1.5 million |
| 3 | Willful neglect (corrected) | $10,000-$50,000 | $1.5 million |
| 4 | Willful neglect (not corrected) | $50,000+ | $1.5 million |
State Attorney General Actions
Following major breaches, state attorneys general increasingly pursue litigation against healthcare organizations. Nebraska's AG lawsuit against Change Healthcare survived a motion to dismiss in late 2024, potentially establishing precedent for state-level enforcement actions following ransomware attacks. Organizations should expect increased scrutiny from both federal and state regulators.
Defensive Recommendations: Actionable Steps for Healthcare Organizations
Immediate Actions (0-30 Days)
1. Implement Multi-Factor Authentication (MFA) Everywhere
The Change Healthcare breach exploited compromised credentials without MFA. This single control could have prevented a $22 million ransom payment and the largest healthcare breach in history.
Priority targets:
- Remote access (VPN, RDP)
- Email accounts
- EHR systems
- Administrative consoles
- Cloud services
2. Segment Networks Aggressively
Prevent lateral movement by isolating:
- Medical devices from administrative networks
- Guest WiFi from clinical systems
- Billing and financial systems from patient care networks
- Legacy systems requiring special handling
3. Establish Offline Backup and Recovery
- Maintain air-gapped backups updated at least weekly
- Test restoration procedures quarterly (actually test them)
- Document manual procedures for critical care functions
- Ensure backup media is physically secured and geographically distributed
4. Deploy Endpoint Detection and Response (EDR)
Modern EDR solutions can detect and contain ransomware before encryption completes. Prioritize coverage for servers hosting EHR and billing systems, domain controllers, backup infrastructure, and administrative workstations.
Medium-Term Improvements (30-90 Days)
5. Establish "Code Dark" Response Protocols
Following Children's National Hospital's example:
- Document paper-based care delivery procedures for every department
- Establish communication protocols for system outages
- Define patient triage and transfer criteria
- Train staff on manual record-keeping
- Conduct tabletop exercises quarterly
6. Assess Third-Party Risk
The Change Healthcare and Synnovis incidents demonstrate supply chain vulnerabilities:
- Inventory all third-party connections and data flows
- Require security assessments from critical vendors
- Establish data handling requirements contractually
- Monitor vendor security posture continuously
- Develop contingency plans for vendor failures
7. Implement CISA's Healthcare Cybersecurity Performance Goals
HHS released voluntary healthcare-specific Cybersecurity Performance Goals in January 2025 covering asset management, authentication and access control, data protection, governance and training, vulnerability management, and incident response. Use these as your implementation roadmap.
Strategic Investments (90+ Days)
8. Join Health-ISAC
The Health Information Sharing and Analysis Center provides threat intelligence specific to healthcare, peer collaboration, incident response support, tabletop exercise resources, and educational training. Membership includes 85% of top global pharmaceutical manufacturers and 66% of top medical device manufacturers for good reason.
9. Engage CISA Resources
Free services available to healthcare organizations:
- Cyber Hygiene Vulnerability Scanning
- Web Application Scanning
- Phishing Campaign Assessments
- Technical assistance and training
10. Review Cyber Insurance Coverage
Ensure policies adequately cover ransom payments (if permitted), business interruption, breach notification costs, regulatory defense and penalties, third-party liability, and reputation management. The insurance market has hardened significantly—work with specialized healthcare cyber insurance brokers.
Government Resources for Healthcare Organizations
HHS Health Sector Cybersecurity Coordination Center (HC3)
- Website: hhs.gov/hc3
- Services: Threat alerts, sector-specific intelligence, weekly webinars
- Contact: HC3@hhs.gov
405(d) Program
- Website: 405d.hhs.gov
- Resources: Health Industry Cybersecurity Practices (HICP), implementation templates
- Contact: Cisa405d@hhs.gov
CISA Healthcare Toolkit
- Foundational cyber hygiene guidance
- Advanced security resources
- Training and exercises
- Incident response planning templates
Health Sector Coordinating Council (HSCC)
Cybersecurity Working Group best practices at healthsectorcouncil.org/hscc-recommendations/
The Evolving Threat: What's Coming Next
AI-Enabled Attacks
Ransomware operators increasingly leverage artificial intelligence for more convincing phishing campaigns targeting clinical staff, automated vulnerability discovery, faster payload deployment, and enhanced evasion of security controls. The barrier to entry continues dropping.
Healthcare-Specific Specialization
Groups like Insomnia demonstrate purposeful healthcare targeting, with 50% of victims in the medical sector. Expect continued specialization as attackers recognize the sector's payment propensity and regulatory pressure to protect patient data.
Supply Chain Focus
The 25% increase in attacks on healthcare businesses versus flat growth for direct providers signals strategic targeting of the supply chain's weaker links. Billing services, technology vendors, laboratories, and imaging centers face increased targeting—and their breaches cascade to their healthcare clients.
Conclusion: Every Dollar Invested Saves Lives
The healthcare sector's ransomware crisis represents more than a cybersecurity challenge—it's a patient safety emergency with documented mortality impacts. With 47 victims in just 30 days and 21 active threat groups maintaining healthcare operations, the threat is not theoretical. It's immediate.
The solutions are known: MFA, network segmentation, offline backups, incident response planning, and sector-wide information sharing. The challenge lies in implementation across a fragmented industry with competing priorities and constrained resources.
For healthcare organizations, the calculus is clear: ransomware preparedness is patient care. Every dollar invested in cybersecurity potentially saves lives. Every hour spent on incident response planning reduces the chaos of an actual attack. Every backup tested is a promise to patients that their care will continue.
The 47 victims from the past 30 days underscore the urgency. The question isn't whether your organization will face a ransomware attack—it's whether you'll be prepared when it comes.
The patients in your waiting room are counting on your answer.
This analysis was compiled from signals intelligence data, public breach notifications, HHS Office for Civil Rights records, industry research, and government resources. For real-time threat intelligence and defensive resources, contact HC3, join Health-ISAC, and implement CISA's healthcare cybersecurity toolkit.
