H1 ransomware roundup_ healthcare

During the first six months of 2026, the healthcare sector suffered an average of 2.3 ransomware attacks per day. Attacks increased by nearly 14 percent when compared to H2 2025, rising from 360 to 410.

Of the 410 attacks we recorded in H1 2026, 247 were on hospitals, clinics, and other direct care providers. 163 hit businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies.

Attacks on healthcare providers rose just over three percent from H2 2025, but attacks on healthcare businesses rose nearly 35 percent.

Of the healthcare businesses targeted, manufacturers saw a 36 percent increase in attacks from H2 2025 to H1 2026. Healthcare tech companies saw a 12 percent increase. But retailers (e.g. medical device retailers or drug wholesalers) saw the biggest increase in attacks (up 67%).

As the chart above shows, attacks on the healthcare sector remain at a consistently high level – for both healthcare providers and businesses. This suggests a new ‘normal’ in the frequency of attacks against healthcare organizations. The increase in attacks is something we’ve witnessed beyond healthcare (see our H1 2026 report across all industries).

*Please note: this report was written after our H1 2026 report, so figures may have changed slightly as more attacks have been confirmed.

Key findings for H1 2026 ransomware attacks on the healthcare sector

Healthcare providers

  • 247 attacks in total
  • 55 confirmed attacks
  • 192 unconfirmed attacks
  • 424,740 records are known to have been breached in the confirmed attacks
  • Median ransom demand: $310,000
  • The most prolific ransomware strains with the highest number of claims against healthcare companies were Qilin (41), The Gentlemen (31), LockBit (17), and INC (15)
  • Qilin had the most confirmed attacks (8), followed by INC and The Gentlemen (5 each)

Healthcare businesses

  • 163 attacks in total
  • 22 confirmed attacks
  • 141 unconfirmed attacks
  • 154,825 records are known to have been breached in the confirmed attacks
  • Median ransom demand of $300,000
  • The most prolific ransomware strains with the highest number of claims against healthcare companies were DragonForce (14), The Gentlemen (13), INC (12), and Qilin (10)
  • INC had the most confirmed attacks (3), followed by DragonForce and Kairos (2 each)

The top 5 biggest healthcare data breaches via ransomware in H1 2026

The following healthcare providers and businesses had the biggest breaches (via a ransomware attack) in H1 2026:

  1. Unimed, Germany – 135,000 affected: The billing service provider was targeted by unknown hackers in April 2026. While system encryption wasn’t successful, data was stolen and around 135,000 patients have been notified of the breach so far. Experts suggest a ransom was paid to have the data deleted, but this hasn’t been confirmed.
  2. Nippon Medical School Musashi Kosugi Hospital, Japan – 131,700 affected: This attack also resulted in the biggest known ransom demand of H1 2026. In February 2026, NetRunner targeted the medical school, issuing a $100 million ransom, which wasn’t paid.
  3. Hospital ⁠Caribbean Medical Center, Puerto Rico – 92,000 affected: The hospital suffered an attack in February 2026, with The Gentlemen later coming forward to claim it. 92,000 people were subsequently notified of the breach.
  4. Lakelands Public Health, Canada – 60,000 affected: 60,000 residents of Peterborough County and the City of Peterborough were notified that their medical data may have been involved in a January 2026 data breach of the public health system. Lynx came forward to claim the attack.
  5. Mt. Spokane Pediatrics, United States – 32,021 affected: In January 2026, the US pediatric clinic noted unauthorized access to its network and said certain files had been removed. Over 32,000 people were later notified of the breach, which was claimed by LockBit.

Also within the top 10 are four other healthcare providers and one healthcare business.

Healthcare providers: Center for Hearing and Speech dba Texas Hearing Institute, US (29,500 affected), Community Connections, US (20,879 affected), Orthopaedic Specialists of Massachusetts, US (20,200 affected), and Pecan Tree Dental, US (13,300 affected).

Healthcare business: Pediatric Products, LLC (Xpress Nebs), US (10,211 affected).

All but one of these top 10 attacks (Unimed) took place in the first three months of 2026, which highlights the gap between when attacks occur and when organizations report them.

Ransom demands on healthcare companies in H1 2026

Median ransom demands on healthcare providers ($310,000) and healthcare businesses ($300,000) were similar.

No ransom payments were officially confirmed during this reporting period. Unimed is rumored to have met its hackers’ demands. Six entities confirmed they hadn’t paid a ransom in their attacks.

One of these was the hefty $100 million ransom demanded by NetRunner from Nippon Medical School Musashi Kosugi Hospital in Japan.

The second largest ransom was demanded by ShadowByt3$ from TINYpulse (WebMD Health Services) in June 2026. Its demand of $2 million followed its alleged theft of 859 MB of Nintendo employee data. Nintendo said its systems hadn’t been compromised in the attack and that the data theft was “limited to internal survey content comprising a small subset of our employees.”

In March 2026, Medusa issued the University of Mississippi Medical Center with an $800,000 ransom for data it said it had stolen in its February 2026 attack. The attack also forced UMMC to cancel appointments from February 19 to March 2, 2026, as it worked to contain the incident. At the time of writing, no data breach notifications have been issued by UMMC.

Ransomware attacks on healthcare companies by country

Of the 410 attacks on healthcare providers and businesses, the US saw the highest number: 225 in total. 31 were confirmed, and 22 of those hit hospitals, clinics, and other direct care providers.

Germany (18), India (17), Canada (15), and Australia (12) followed with the highest number of attacks (confirmed and unconfirmed) overall.

India saw the biggest uptick in attacks on healthcare providers from H2 of 2025 to H1 of 2026 (up 700%). Canada also saw a significant increase (up 83%), as did Australia (up 33%) and Germany (up 40%).

In contrast, attacks on healthcare providers in the US dropped by over 7 percent.

The US saw an 11 percent increase in attacks on healthcare businesses from H2 of 2025 (71) to H1 of 2026 (79). Due to the far lower breach figures reported by healthcare businesses outside the US, it isn’t fair to apply the same comparison in other countries.

Which ransomware gangs are targeting healthcare providers and/or businesses?

As previously noted, Qilin and The Gentlemen were the most dominant strains in attacks on healthcare providers, while DragonForce and The Gentlemen were the most dominant in attacks on healthcare businesses.

In total, eight of Qilin’s attacks were confirmed in H1 2026 and all of these were against healthcare providers. Four of these were in the US (Rocky Mountain Care, FMRS Health Systems, Inc., Orthopaedic Specialists of Massachusetts, and Aroostook Mental Health Services, Inc.), two were in Germany (RENAFAN GmbH and Suchthilfe direkt Essen gGmbH), and one each in Portugal (Misericórdia de Santo Tirso) and Colombia (Cooperativa de Hospitales de Antioquia).

The Gentlemen had six of its attacks confirmed. Five were healthcare providers and all six took place in different countries. As well as the Hospital ⁠Caribbean Medical Center, mentioned above, the healthcare providers were:

  • Unimed Anápolis, Brazil – January 2026
  • Rajagiri Hospital, India – March 2026
  • IntraCare, New Zealand – March 2026
  • Wielkopolskie Centrum Medyczne REMEDIUM sp. z o.o., Poland – May 2026

Japanese pharmaceutical wholesaler Marutake Co., Ltd. was the only healthcare business to confirm an attack claimed by The Gentlemen.

Three of DragonForce’s attacks were confirmed. Two were healthcare businesses, Kopran Ltd in Japan (a pharmaceutical manufacturer) and Reha-Activ e.K. in Germany (a medical supply company), and one was a healthcare provider in the US (Advanced Diagnostic Imaging/AdvancedHEALTH).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.