During the first quarter of 2026, we recorded 120 ransomware attacks on hospitals, clinics, and other healthcare providers. We also noted 81 attacks on businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies.
Attacks on healthcare providers dipped by 15 percent compared to last quarter, while attacks on healthcare businesses rose for the third quarter in a row, jumping by 35 percent.
Despite the dip in attacks on healthcare providers, the above chart demonstrates how attacks within this sector remain consistently high. Attacks on all types of healthcare companies remain lucrative for hackers.
Ransomware attacks can cause mass disruption. An attack on the University of Mississippi Medical Center crippled computer systems and shut down clinics on February 19, 2026. It wasn’t until the following month that systems were restored and clinics were reopened.
Healthcare providers also store vast amounts of data that’s often highly sensitive. While many breaches are yet to be reported, Nippon Medical School Musashi Kosugi Hospital in Japan already confirmed that 131,700 people were impacted in its February 2026 attack (claimed by NetRunner). Puerto Rico’s Hospital Caribbean Medical Center is notifying 92,000 about its February 2026 attack (claimed by The Gentlemen), which has been confirmed to involve healthcare data.
The same is also true when healthcare businesses are targeted by ransomware groups. Medical device manufacturer UFP Technologies warned of billing and shipment delays after it was hit by an attack in February 2026 (claimed by Payouts King). And Healthdaq, a healthcare recruitment company in Ireland, is warning of a data breach following unauthorized access to its platform in March 2026 (claimed by XP95).
*Please note: this report was written after our Q1 2026 report (all sectors), so figures may have changed slightly as more attacks have been confirmed.
Key findings for Q1 2026 ransomware attacks on the healthcare sector
Healthcare providers
- 120 attacks in total
- 26 confirmed attacks
- 94 unconfirmed attacks
- 237,747 records are known to have been breached in the confirmed attacks
- Median ransom demand of $300,000
- The most prolific ransomware strains with the highest number of claims against healthcare companies were Qilin (23), The Gentlemen (10), Insomnia and LockBit (9 each), and Sinobi (7)
- Qilin had the most confirmed attacks (4), followed by The Gentlemen and Lockbit (3 each), and Sinobi and NetRunner (2 each)
- 13 TB of data allegedly stolen
Healthcare businesses
- 81 attacks in total
- 5 confirmed attacks
- 76 unconfirmed attacks
- Number of records breached – N/A
- Average ransom – N/A
- The most prolific ransomware strains with the highest number of claims against healthcare companies were INC and NightSpire (8), Genesis (6), and Akira, Clop, LockBit, and The Gentlemen (5 each)
- INC, DragonForce, Payouts King, and XP95 each had a confirmed attack
- 29 TB of data allegedly stolen
Ransomware attacks on healthcare providers
During Q1 2026, a total of 120 attacks were recorded on global healthcare providers. 26 of these attacks were confirmed.
Eight of these confirmed attacks happened in the US. As well as UMMC (noted above), the following confirmed attacks:
- Mt. Spokane Pediatrics – January 2026 – LockBit
- Pecan Tree Dental – January 2026 – Sinobi – 13,300 people confirmed to have been affected
- Rocky Mountain Care – January 2026 – Qilin
- Elmwood Healthcare – January 2026 – LockBit
- Lymphedema Therapy Specialists, Inc. – February 2026 – INC – 378 people in Texas confirmed to have been affected
- Aroostook Mental Health Services, Inc. – March 2026 – Qilin – no ransom paid
- Bayside Dental – January 2026 – Sinobi
Three attacks were also confirmed in Germany. Two were claimed by Qilin (RENAFAN GmbH and Suchthilfe direkt Essen gGmbH), and an attack on Leinerstift e.V., which hasn’t been claimed by a group at the time of writing.
Qilin was behind the most confirmed attacks on healthcare providers with these four attacks across the US and Germany.
LockBit and The Gentlemen both had three confirmed attacks each. LockBit’s included Consorzio Selenia soc. coop. in Italy as well as the two US companies noted above. Meanwhile, The Gentlemen’s targets were Unimed Anápolis in Brazil, IntraCare in New Zealand, and the Hospital Caribbean Medical Center in Puerto Rico.
Ransomware attacks on healthcare businesses
From January to March 2026, Comparitech researchers logged 81 attacks on healthcare businesses. Five of these attacks were confirmed.
Two attacks were confirmed in both the US and India. In the US, a veterinary practice (Metro Pet Vet) was targeted by unknown hackers in January 2026, while UFP Technologies was hit in February by Payouts King (see above).
In India, Glenmark Pharmaceuticals suffered an attack in February 2026 by INC with 1.8 TB of data stolen, and Kopran Ltd was also targeted in February 2026 but by DragonForce with nearly 284 GB of data stolen.
Healthdaq, Ireland (see above) was the other confirmed attack.
Ransomware attacks on the healthcare sector by country
Across all of the 201 attacks we noted on healthcare providers and businesses throughout Q1 2026, 59 percent (119) were on entities within the US. India (10), Germany (7), and Australia (6) followed.
These are the top four if we look at healthcare providers only, but Canada and Taiwan replace Australia when it comes to healthcare businesses.
The US saw the most confirmed attacks (10), followed by Germany and Japan (3 each). India, Australia, and Turkey all had two confirmed attacks each.
Please note: data breach reporting requirements vary by country, which may skew confirmed attack figures. Countries with mandatory reporting are likely to see more confirmed attacks than those without.
Which ransomware gangs are targeting healthcare providers and/or businesses?
Qilin was the most dominant strain in attacks against healthcare providers with 23 attacks in total. The Gentlemen followed with 10 attacks.
In contrast, INC and NightSpire were the most prolific strains in attacks against healthcare businesses with eight attacks each. Despite Qilin claiming the most attacks across all sectors, only three attacks were registered via this group on healthcare businesses throughout all of Q1 2026. This would appear to suggest that healthcare businesses aren’t a prime target for Qilin.
Hackers alleged to have stolen more than twice the amount of data from healthcare businesses (29 TB) than healthcare providers (13 TB), despite healthcare providers accounting for more attacks in total (120 compared to 81).
Across the 120 attacks on healthcare providers, just over 13 TB of data was stolen. Beast claims to have stolen the most: 2 TB in total (across just three attacks).
Ransomware groups claim they stole more than 29 TB of data across the 81 attacks on healthcare businesses. Metaencryptor said it stole 14 TB in its attack on a German pharmaceutical manufacturer, but this remains unconfirmed.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.
