From January to June of 2025, we tracked 211 ransomware attacks on healthcare companies. 68 of these were confirmed by the organizations that were targeted.
This is a four percent increase on H1 of 2024, when we noted 203 attacks in total, but a nine percent decrease since H2 of 2024 (231).
The healthcare sector hasn’t seen the same influx in attacks as other industries. Our recent H1 report for all industries saw a 50 percent increase in ransomware attacks when comparing H1 of 2024 to H1 of 2025.*
Why isn’t healthcare seeing the same increase?
While the initial findings may make for positive reading, there could be several reasons behind these figures. Often, attacks aren’t reported on until several months after the event. As we will see below, many of the breaches only come to light nearly four months after they’ve taken place.
Equally, if a healthcare company doesn’t suffer noticeable downtime due to the attack or isn’t obligated to notify patients/employees of a data breach afterward, then we may never know an attack has taken place–especially if the ransom is met.
A recent report by Sophos found that nearly 50 percent of companies paid a ransom to get their data back. In these cases, hackers are unlikely to post the company to their data leak site. Our figures across all industries likely only scratch the surface of the true impact and number of attacks worldwide.
Ultimately, ransomware attacks on healthcare companies continue to have devastating consequences. This became only too evident recently when a patient’s death was linked to the June 2024 attack on Synnovis in the UK.
*Please note: this report was generated after our initial H1 report so figures may have changed slightly as more attacks have been confirmed.
Key findings for H1 2025 ransomware attacks on the healthcare sector
- 211 attacks in total – 125 in Q1 and 86 in Q2
- 68 confirmed attacks – 45 in Q1 and 23 in Q2
- 143 unconfirmed attacks – 80 in Q1 and 63 in Q2
- 2,372,777 records are known to have been breached in the confirmed attacks
- Average ransom demand of $479,000
- The most prolific ransomware strains with the highest number of claims against healthcare companies were INC (34), Qilin (25), SafePay (14), RansomHub (13), and Medusa (13)
- INC and Qilin had the most confirmed attacks (10 each), followed by Medusa (7), RansomHub (6), and SafePay (4)
The top 5 biggest healthcare data breaches via ransomware in H1 2025
The following healthcare organizations had the biggest breaches (via a ransomware attack) in H1 of 2025:
- Frederick Health, US – 934,326 affected: Nearly 1 million patient records were breached after the US healthcare company was targeted by unknown hackers in a ransomware attack in January 2025.
- Utsunomiya Central Clinic, Japan – 300,000 affected: Qilin targeted the Japanese clinic in February 2025, causing system disruption and the alleged theft of 140 GB of data. 300,000 people were alerted about the breach.
- Marlboro-Chesterfield Pathology, P.C., US – 235,911 affected: The clinic was hit in January 2025 with SafePay adding it to its site in that same month after allegedly stealing 30 GB of data. The post was later removed, suggesting a ransom had been paid but MCP has never confirmed this.
- Central Texas Pediatric Orthopedics, US – 140,121 affected: Qilin was also responsible for this attack in January 2025.
- Alabama Ophthalmology Associates, US – 131,576 affected: This attack took place in January 2025 with BianLian coming forward to claim it in February.
Also within the top 10 are five more US companies: Bell Ambulance (114,000 affected), Shelby Dermatology, PC d/b/a Dermatologists of Birmingham (86,414 affected), Whitman Hospital & Medical Clinics (63,453 affected), Horizon Behavioral Health (49,822 affected), and Gardner Orthopedics (47,000 affected).
All but one of these top 10 attacks (Gardner Orthopedics) took place in the first quarter of 2025, which highlights the time gap between attacks happening and breaches being reported. As our recent report found, it takes US healthcare companies 3.7 months to report a data breach after a ransomware attack, on average.
Ransomware attacks on healthcare companies by country
Out of the 211 ransomware attacks we noted on hospitals and clinics in H1 2025, the vast majority (66%) were on US companies, where 139 were logged in total. 44 of these attacks were confirmed by the entity involved.
Also within the top five were Australia (10), the United Kingdom (7), Germany (6), and Taiwan (6).
Four of the attacks in Australia were confirmed. These were attacks on Spectrum Medical Imaging, Genea, O&G Adelaide Pty Ltd, and Riverina Medical and Dental Aboriginal Corporation. INC was behind the attacks on Spectrum and Riverina Medical, while Kairos claimed O&G Adelaide and Termite claimed Genea.
Germany and Taiwan saw three confirmed attacks each. As well as the attacks on Mackay Memorial Hospital and Changhua Christian Hospital, Taiwan’s ChangShen Hospital was also targeted in April 2025. The breach was claimed by NightSpire who says it stole 800 GB of data.
In Germany, LUP-Klinikum Helene von Bülow was claimed by INC in February, while AWO Stadtkreis Gießen e. V. was targeted by SafePay in April. Sozial-Holding der Stadt Mönchengladbach GmbH also suffered an attack via unknown hackers in March 2025 where a ransom of €100,000 was demanded (around USD $108,000 at the time). This ransom wasn’t paid and neither were the ransoms against the other two German healthcare organizations.
Only one of the attacks in the UK was confirmed (the aforementioned one on HCRG Care Group), but two were confirmed in Spain. Hospital Los Madroños and Pere Claver Grup were both impacted in March 2025. Qilin claimed Hospital Los Madroños after allegedly stealing 540 GB (no ransom was paid), while the attack on Pere Claver Grup was attributed to Nova (formerly RA Lord) and 5 GB allegedly stolen.
Ransom demands on healthcare companies in H1 2025
On average, $479,000 was demanded across all confirmed and unconfirmed attacks. The average across the confirmed attacks was higher at $608,000 (figures are known in 11 cases), while the average across the unconfirmed attacks was $370,000 (figures known in 13 cases). There weren’t any confirmed ransom payments during this reporting period but 10 entities confirmed they hadn’t met hackers’ demands.
The top 5 biggest ransom demands on healthcare companies in H1 2025
According to our findings, the following healthcare entities were hit with the biggest ransom demands in the first half of 2025:
- HCRG Care Group, UK – $2M, Medusa: In February 2025, the UK healthcare company was hit with a $2 million ransom demand from Medusa. HCRG promptly issued the gang with an injunction to try and prevent the data from being leaked. Medusa alleged to have stolen nearly 2.3 TB of data.
- Mackay Memorial Hospital, Taiwan – $1.5M, Crazy Hunter: Mackay Memorial Hospital refused to meet Crazy Hunter’s $1.5 million ransom demand after its attack in February 2025.
- SimonMed Imaging, US – $1M, Medusa: Medusa targeted SimonMed in January 2025 before issuing a $1 million demand for the 213 GB of data it had allegedly stolen. SimonMed confirmed it had managed to interrupt hackers and no data was encrypted but has issued data breach notifications. At present, a placeholder of 500 has been added to the HHS OCR data breach tool.
- Changhua Christian Hospital, Taiwan – $800K, Crazy Hunter: Another Taiwanese hospital was targeted by Crazy Hunter in March 2025. This time $800,000 was demanded. Systems were impacted for around two days.
- Bell Ambulance, US – $400K, Medusa: Medusa issued the ambulance provider with a $400,000 ransom after allegedly stealing 219.5 GB of data. Bell Ambulance subsequently notified 114,000 people of the breach.
Please note: Although Medusa features heavily here, that doesn’t necessarily mean they’re demanding the biggest ransoms out of all of the groups. Rather, this group always posts its ransom demand when claiming an attack, which gives us access to more data.
Which ransomware gangs are targeting the healthcare sector?
While some groups don’t appear to have a specific sector that they target, others do. The ransomware groups that claimed the most attacks on the healthcare sector in H1 2025 include:
- INC – 34 claims in total = 26% of its total claims (131)
- 10 confirmed attacks = 43% of its total confirmed attacks (23)
- Qilin – 25 claims in total = 8% of its total claims (317)
- 10 confirmed attacks = 23% of its total confirmed attacks (43)
- SafePay – 14 claims in total = 8% of its total claims (186)
- 4 confirmed attacks = 20% of its total confirmed attacks (20)
- RansomHub – 13 claims in total = 6% of its total claims (221)
- 6 confirmed attacks = 21% of its total confirmed attacks (29)
- Medusa – 13 claims in total = 13% of its total claims (104)
- 7 confirmed attacks = 47% of its total confirmed attacks (15)
These figures highlight INC’s focus on the healthcare sector. But if we were to measure the number of confirmed attacks in proportion to the number of claims made, Medusa would come out on top with nearly 54 percent of its healthcare attacks being confirmed. RansomHub comes second (46%) and Qilin third (40%).
Qilin accounted for the most breached records with over 555,000 in total. As well as the three mentioned above (Utsunomiya Central Clinic, Central Texas Pediatric Orthopedics, and Dermatologists of Birmingham), Qilin was also behind attacks on Lake Washington Vascular (21,534 records breached), and Covenant Health (7,864 records breached).
SafePay follows Qilin with nearly 260,000 records breached. In addition to the 236,000 breached in its attack on Marlboro-Chesterfield Pathology, P.C., Compassion Health Care notified 23,282 people following its attack in March 2025.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.
