2025 ransomware roundup healthcare

Throughout 2025, we recorded 445 ransomware attacks on hospitals, clinics, and other direct care providers. A further 191 attacks hit businesses operating within the healthcare sector (e.g. pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies).

When comparing these figures from 2025 to those noted in 2024, attacks on healthcare providers remained the same (437 in 2024), while attacks on healthcare businesses increased by 25 percent (rising from 153 in 2024).

The above chart illustrates that, while ransomware attacks on healthcare providers declined from Q4 2024 to Q3 2025, they increased significantly in Q4 2025, rising by 50 percent. Attacks on healthcare businesses also saw a decline during the first half of 2025, but rose significantly in the second half of the year.

Data breaches across the entire healthcare sector also remain a cause for concern. With many figures only being available for attacks in the first half of the year, the true impact of these attacks is yet to be determined. However, over 16.5 million records are confirmed to have been breached across healthcare providers and businesses so far.

Ultimately, attacks within the healthcare sector remain a key threat and demonstrate how healthcare providers not only face the threat of attacks within their own systems but also via the third parties they employ to carry out various services.

2026 has already seen an incredibly disruptive attack on the Belgian hospital, AZ Monica. The attack (carried out by unknown hackers) led to a shutdown of all systems on January 7. A week later, the hospital was only able to reopen at half capacity.

Healthcare businesses reported significant breaches this month (from 2025). These include more than 42,000 records breached via an attack on medical billing company, Avosina Healthcare Solutions, in July 2025, and 28,200 people breached in March 2025 following an attack on another billing provider, Mid Michigan Medical Billing Service, Inc.

*Please note: this report was written after our end-of-year report, so figures may have changed slightly as more attacks have been confirmed.

Key findings for 2025 ransomware attacks on the healthcare sector

Healthcare providers

  • 445 attacks in total – UP 2% from 2024 (437)
  • 155 confirmed attacks
  • 290 unconfirmed attacks
  • 10,132,682 records are known to have been breached in the confirmed attacks
  • Average ransom demand of $615,000 – DOWN 84% from 2024 ($3.9M)
  • The most prolific ransomware strains with the highest number of claims against healthcare providers were Qilin (66), INC (45), SafePay (29), Sinobi (24), and Medusa (18)
  • Qilin had the most confirmed attacks (23), followed by INC (19) and Medusa (12)
  • 115 TB of data was stolen across all of the attacks – 75.5 TB across the confirmed attacks
  • The United States saw the most attacks (292), followed by Australia (16), the United Kingdom (12), Germany (11), and France and Canada (10 each)
  • France saw the biggest uptick in attacks from 2024 (up 150%), followed by Australia (60%). Attacks dropped in the US (-1%), Germany (-35%), and Canada (-44%), and plateaued in the UK

Healthcare businesses

  • 191 attacks in total – UP 25% from 2024 (153)
  • 40 confirmed attacks
  • 151 unconfirmed attacks
  • 6,419,988 records are known to have been breached in the confirmed attacks
  • Average ransom demand of $584,700 – DOWN 92% from 2024 ($7.7M)
  • The most prolific ransomware strains with the highest number of claims against healthcare businesses were Qilin (30), Akira (19), INC and KillSec (12 each), and Clop (11)
  • Qilin had the most confirmed attacks (11), followed by Akira (4), and DragonForce, PEAR, KillSec, and RansomHub (2 each)
  • 42 TB of data was stolen across all of the attacks – 8 TB across the confirmed attacks
  • The United States saw the most attacks (97), followed by India (9), Italy and Canada (8 each), Germany (6), and Spain (5)
  • Attacks increased by around 30 percent across all of the aforementioned countries, bar Germany, where the attacks plateaued, and Spain, where attacks increased by 67 percent

The top 5 biggest healthcare data breaches via ransomware in 2025

The following healthcare providers and businesses had the biggest breaches (via a ransomware attack) in 2025:

  1. Episource, US – 5,445,866 affected: The healthcare technology company was hit by an attack that started in January 2025. Episource notified 5,418,866 people of the breach, while other companies have also issued their own notifications (including Sharp Community Medical Group and Sharp HealthCare). The responsible hackers remain unknown.
  2. DaVita, US – 2,689,826 affected: Targeted in March 2025, the kidney dialysis company notified nearly 2.7 million people of a breach. Interlock claimed the attack after allegedly stealing 1.51 TB of data.
  3. SimonMed Imaging, US – 1,275,669 affected: After being targeted by Medusa in January 2025, SimonMed was issued with a $1 million ransom demand for 212.616 GB of data. In October 2025, the Arizona-based medical imaging provider started notifying 1,275,669 people who had been impacted in this breach.
  4. Clinical Diagnostics (Eurofins), The Netherlands – 941,000 affected: In July 2025, the laboratory testing service was targeted by Nova ransomware. Clinical Diagnostics paid a ransom demand to have the stolen data but Nova came back with a second ransom after Clinical Diagnostics involved the police. Its second ransom demand was $1.1 million.
  5. Frederick Health, US – 934,326 affected: Nearly 1 million patient records were breached after the US healthcare company was targeted by unknown hackers in a ransomware attack in January 2025.

Also within the top 10 are four other healthcare providers and one healthcare business.

Healthcare providers: Covenant Health, US (478,200 affected), Goshen Medical Center, US – 456,400 affected, Utsunomiya Central Clinic, Japan (300,000 affected), and Medical Associates of Brevard, US (247,000 affected).

Healthcare business: Compumedics Limited, Australia (320,000 affected*).

All but one of these top 10 attacks (Clinical Diagnostics) took place in the first half of 2025, which highlights the time gap between attacks happening and breaches being reported. As our recent report found, it takes US healthcare companies 3.7 months to report a data breach after a ransomware attack, on average.

*This figure on Compumedics includes 2,254 confirmed from Adelaide’s Women’s and Children’s Hospital (Australia) and 318,150 from Compumedics USA.

Interlock lists DaVita on its data leak site.
Interlock lists DaVita on its data leak site.

Ransom demands on healthcare companies in 2025

Average ransom demands on healthcare providers ($615,000) and healthcare businesses ($584,700) in 2025 were similar, but both values were significantly lower than the averages we noted in 2024.

These averages were also lower than the average ransom we noted across all industries and sectors in 2025–$1.04 million (which was also a decrease from 2024’s figure).

Data on ransom demands is limited with figures disclosed in just 124 of the attacks across both healthcare providers and businesses. However, the decline in average ransom demands could be due to the increased volume of attacks overall. As hackers lean toward AI and Ransomware-as-a-Service (RaaS) models, this has enabled them to carry out attacks at greater speed, which may have led to reduced ransoms. Equally, lower ransom demands are more likely to receive payment.

Only two ransom payments were confirmed during this reporting period. They include Clinical Diagnostics (mentioned above) and the University of Hawaii Cancer Center, which has just confirmed it paid a ransom in August 2025 in a bid to have the stolen data deleted (hackers unknown). 16 entities confirmed they hadn’t paid the ransom.

The top 5 biggest ransom demands on healthcare companies in 2025

According to our findings, the following healthcare providers and businesses were hit with the biggest ransom demands in the first three quarters of 2025 (confirmed attacks only):

  1. EHPAD Résidence du Parc, France – $5M, Unknown: Unknown hackers targeted the nursing home in December 2025, issuing a $5 million ransom demand to decrypt files. It is thought that 13 years’ worth of data could have been lost in the attack.
  2. MedStar Health, US – $3.09M, Rhysida: In September 2025, Rhysida targeted the US healthcare provider, issuing a 25 bitcoin ransom for 3.7 TB of data (which it said included 7 million pieces of patient data). MedStar has started issuing notifications to those affected but the total number is yet to be confirmed.
  3. HCRG Care Group, UK – $2M, Medusa: In February 2025, the UK healthcare company was hit with a $2 million ransom demand from Medusa. HCRG promptly issued the gang with an injunction to try and prevent the data from being leaked. Medusa alleged to have stolen nearly 2.3 TB of data.
  4. Spindletop Center – $1.65M, Rhysida: In September 2025, the Texan clinic suffered a cyber attack which was claimed by Rhysida with a 15 bitcoin ransom (worth USD $1.65 million at the time).
  5. Mackay Memorial Hospital, Taiwan – $1.5M, Crazy Hunter: Mackay Memorial Hospital refused to meet Crazy Hunter’s $1.5 million ransom demand after its attack in February 2025.

Also within the top 10 were: Cookeville Regional Medical Center, US ($1.15M, Rhysida), SimonMed Imaging, US ($1M, Medusa), Changhua Christian Hospital, Taiwan ($800K, Crazy Hunter), Shamir Medical Center, Israel ($700K, Qilin), Family Health West, US ($700K, Devman), and Highlands Oncology Group PA, US ($700K, Medusa).

The highest (and only) confirmed ransom on a healthcare business was $80,000 from unknown hackers on M.J. Biopharm Private Limited, India, in April 2025. The pharmaceutical conglomerate said it didn’t pay the ransom.

Rhysida lists Spindletop Center on its data leak site.
Rhysida lists Spindletop Center on its data leak site.

Please note: Although Medusa and Rhysida feature heavily here, that doesn’t necessarily mean they’re demanding the biggest ransoms out of all of the groups. Rather, these groups always disclose ransom demands when claiming an attack, which gives us access to more data. Other groups often do not reveal their ransom demands.

Which ransomware gangs are targeting healthcare providers and/or businesses?

As we’ve already seen, Qilin was the most prolific strain and claimed the most confirmed attacks.

However, if we measure a gang’s success by how much data it steals, there are other gangs that rise to the top for the number of records breached.

The most “successful” gangs with their attacks on healthcare providers

When it comes to the most breached records, Interlock comes out on top with nearly 2.74 million in total. The vast majority of these stem from its March 2025 attack on DaVita. Breaches were also confirmed by three other US entities—Texas Digestive Specialists (44,579 affected), Kettering Health (placeholder of 501), and Naper Grove Vision Care (placeholder of 501).

Medusa took second place with over 1.6 million records breached. 1.28 million were part of its breach on SimonMed Imaging (noted above) but significant breaches were also noted at a number of other US providers, including Bell Ambulance (114K) and Highlands Oncology Group PA (nearly 114K).

Qilin was responsible for breaching over 1 million records in total. Two of its biggest attacks are noted above (Covenant Health and Utsunomiya Central Clinic) but other significant breaches occurred at Central Texas Pediatric Orthopedics (140K affected) and Richmond Behavioral Health Authority (113K affected).

PEAR allegedly stole the most data with over 19 TB in total. Its largest breach of 6.5 TB of data remains unconfirmed but an attack on US-based Tri-Century Eye Care, P.C. did lead to a data breach of 200,000 records, or 3.3 TB of data, in September 2025.

Qilin came second with 14.7 TB stolen. A large chunk of this (8 TB) came from its attack on Israel’s Shamir Medical Center.

The most “successful” gangs with their attacks on healthcare businesses

Even though it only claimed one attack on a healthcare organization throughout all of 2025, Van Helsing had the biggest attack by records affected. It took credit for the attack on Australia’s Compumedics Limited, in which over 320,000 people are confirmed to have been notified—so far.

Akira came second with nearly 275,000 records breached. The majority of these are from its attack on Fieldtex Products Inc. where just over 274,000 people were recently notified of the August 2025 data breach.

INC claims to have stolen the most data from healthcare businesses with over 20.4 TB in total. However, most of this comes from an unconfirmed claim on a US healthcare manufacturing company.

Ransomware attacks on healthcare companies by country

As we have already noted, the US saw the highest number of attacks across both healthcare providers and healthcare companies.

We noted an overall decline of 25 percent in attacks on healthcare providers, but only one of the top five countries saw a significant reduction in the number of attacks. Germany was the only country to see a large decline in attacks on healthcare providers (dropping 35% from 17 in 2024 to 11 in 2025). Equally, Germany was the only top-five country not to see an increase in attacks on healthcare companies (they remained the same from 2024 to 2025 – 6 attacks each).

France saw a significant increase (150%) in attacks on healthcare providers (rising from four in 2024 to 10 in 2025), as did Australia (rising 60% from 10 to 16).

As noted, the US, India, Italy, and Canada all saw an approximate 30 percent increase in attacks on healthcare companies from 2024 to 2025. This was slightly above the average of 25. Spain saw a much larger increase of 67 percent, while the UK and France saw significant declines (50% and 43% respectively).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.