In the first nine months of 2025, we recorded 293 ransomware attacks on hospitals, clinics, and other direct care providers. We logged a further 130 attacks on businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies.
Attacks on healthcare providers are similar to 2024’s figures during the same period, but attacks on healthcare businesses rose by 30 percent.
The above chart shows ransomware attacks on healthcare providers declined every quarter since Q4 of 2024. Attacks on healthcare businesses dipped from Q4 of 2024 to Q2 of 2025 but increased again in Q3 of 2025, and have been higher overall this year when compared to last.
Why are ransomware attacks on healthcare businesses rising in 2025?
First, healthcare providers have suffered frequent attacks in recent years. From the 2024 attack on Ascension in the US, which saw nearly 5.6 million records breached, to the crippling 2024 attack on UK-based Synnovis, which saw Qilin demand a $50 million ransom, there have been many high-profile attacks on this sector. This has raised awareness of the threat of ransomware in healthcare, which, in turn, may have spurred organizations into action. For example, providers may have worked to make sure systems are up to date, employees have received cybersecurity training, regular backups are stored, and so on.
Second, healthcare businesses often deal with multiple healthcare providers, whether that’s through the processing of vast amounts of data (e.g. payment service providers) or shared systems (e.g. technology vendors). These give hackers access to a larger number of organizations through one central target, thus increasing the scope of the ensuing data breaches.
Attacks on healthcare providers have declined, but they now face ransomware threats from a different angle—the third-party contractors they enlist to carry out various services.
*Please note: this report was written after our Q3 report, so figures may have changed slightly as more attacks have been confirmed.
Key findings for Q1-Q3 2025 ransomware attacks on the healthcare sector
Healthcare providers
- 293 attacks in total
- 94 confirmed attacks
- 199 unconfirmed attacks
- 7,422,608 records are known to have been breached in the confirmed attacks
- Average ransom demand of $514,000
- The most prolific ransomware strains with the highest number of claims against healthcare companies were INC (39), Qilin (34), SafePay (21), RansomHub (13), and Medusa (13)
- INC had the most confirmed attacks (15), followed by Qilin (14), Medusa (8), RansomHub (6), and BianLian (5)
Healthcare businesses
- 130 attacks in total
- 23 confirmed attacks
- 107 unconfirmed attacks
- 6,049,434 records are known to have been breached in the confirmed attacks
- Average ransom demand of $532,000
- The most prolific ransomware strains with the highest number of claims against healthcare companies were Qilin (19), KillSec (12), Akira (10), INC (9), and SafePay (7)
- Qilin had the most confirmed attacks (4), followed by KillSec, Akira, and RansomHub (2 each)
The top 5 biggest healthcare data breaches via ransomware in Q1-Q3 2025
The following healthcare providers and businesses had the biggest breaches (via a ransomware attack) in Q1-Q3 of 2025:
- Episource, US – 5,445,866 affected: The healthcare technology company was hit by an attack that started in January 2025. Episource notified 5,418,866 people of the breach, while other companies have also issued their own notifications (including Sharp Community Medical Group and Sharp HealthCare). The responsible hackers remain unknown.
- DaVita, US – 2,689,826 affected: Targeted in March 2025, the kidney dialysis company notified nearly 2.7 million people of a breach. Interlock claimed the attack after allegedly stealing 1.51 TB of data.
- Clinical Diagnostics (Eurofins), The Netherlands – 941,000 affected: In July 2025, the laboratory testing service was targeted by Nova ransomware. Clinical Diagnostics paid a ransom demand to have the stolen data but Nova came back with a second ransom after Clinical Diagnostics involved the police. Its second ransom demand was $1.1 million.
- Frederick Health, US – 934,326 affected: Nearly 1 million patient records were breached after the US healthcare company was targeted by unknown hackers in a ransomware attack in January 2025.
- Goshen Medical Center, US – 456,385 affected: In September 2025, Goshen Medical Center started to notify people of a data breach following an attack in February 2025. BianLian claimed this attack.
Also within the top 10 are three other healthcare providers and two healthcare businesses.
Healthcare providers: Utsunomiya Central Clinic, Japan (300,000 affected), Medical Associates of Brevard, US (247,000 affected), and Marlboro-Chesterfield Pathology, US (236,000 affected).
Healthcare businesses: Compumedics Limited, Australia (320,000 affected*) and Ocuco Limited, Ireland (241,000 affected).
All but one of these top 10 attacks (Clinical Diagnostics) took place in the first half of 2025, which highlights the time gap between attacks happening and breaches being reported. As our recent report found, it takes US healthcare companies 3.7 months to report a data breach after a ransomware attack, on average.
*This figure on Compumedics includes 2,254 confirmed from Adelaide’s Women’s and Children’s Hospital (Australia) and 318,150 from Compumedics USA.
Ransomware attacks on healthcare companies by country
Across all of the 423 attacks we noted on healthcare providers and businesses, the US saw the highest number of these with 257 in total. 74 of these were confirmed with 63 on providers and 11 on businesses.
Australia, Germany, and the United Kingdom followed with 15, 13, and 12 attacks, respectively.
These top four remain the same for attacks on healthcare providers only, but the top targeted countries change when it comes to healthcare businesses. Here, the US remains top with 65 attacks in total but is followed by Italy (7) and India (6).
Due to the lower figures in all countries but the US, it’s difficult to compare Q1 to Q3 of 2024 to the same period of 2025. Many attacks are confirmed months after the event.
One country that does appear to be bucking the trend on healthcare providers is Australia.
Australia saw a significant increase (67%) in its overall figures. We logged 15 attacks so far in 2025, compared to nine in the same period of 2024. Attacks on healthcare providers also increased by 83 percent, rising from six in 2024 to 11 in 2025. Attacks on healthcare businesses rose slightly from three to four.
In the US, Q1 to Q3 of 2024 saw 252 healthcare-related attacks in total. 2025’s figure of 257 is only slightly higher. Attacks on healthcare businesses increased by 51 percent from 43 in 2024 to 65 in 2025. Meanwhile, attacks on healthcare providers have dropped by eight percent from 209 in 2024 to 192 in 2025.
Ransom demands on healthcare companies in Q1-Q3 2025
As we have already noted, average ransom demands on healthcare providers ($514,000) and healthcare businesses ($532,000) were similar.
Only one ransom payment was confirmed during this reporting period (the attack on Clinical Diagnostics mentioned above), while 13 entities confirmed they hadn’t paid the ransom.
The top 5 biggest ransom demands on healthcare companies in Q1-Q3 of 2025
According to our findings, the following healthcare providers and businesses were hit with the biggest ransom demands in the first three quarters of 2025 (confirmed attacks only):
- HCRG Care Group, UK – $2M, Medusa: In February 2025, the UK healthcare company was hit with a $2 million ransom demand from Medusa. HCRG promptly issued the gang with an injunction to try and prevent the data from being leaked. Medusa alleged to have stolen nearly 2.3 TB of data.
- Mackay Memorial Hospital, Taiwan – $1.5M, Crazy Hunter: Mackay Memorial Hospital refused to meet Crazy Hunter’s $1.5 million ransom demand after its attack in February 2025.
- Cookeville Regional Medical Center, US – $1.15M, Rhysida: An attack took place in July 2025, causing a technical outage that lasted for several days. The center started issuing data breach notifications, but the number of victims remains unknown.
- SimonMed Imaging, US – $1M, Medusa: Medusa targeted SimonMed in January 2025 before issuing a $1 million demand for the 213 GB of data it had allegedly stolen. SimonMed confirmed it had managed to interrupt hackers and no data was encrypted but has issued data breach notifications. At present, a placeholder of 500 has been added to the HHS OCR data breach tool.
- Changhua Christian Hospital, Taiwan – $800K, Crazy Hunter: Another Taiwanese hospital was targeted by Crazy Hunter in March 2025. This time $800,000 was demanded. Systems were impacted for around two days.
Please note: Although Medusa features heavily here, that doesn’t necessarily mean it’s demanding the biggest ransoms out of all of the groups. Rather, this group always post its ransom demands when claiming an attack, which gives us access to more data. Other groups often do not reveal their ransom demands.
Which ransomware gangs are targeting healthcare providers and/or businesses?
As we’ve already seen, INC was the most prolific strain when it came to attacks on healthcare providers, and Qilin was the most prolific for healthcare businesses.
However, if we measure a gang’s success on how much data it steals, there are other gangs that rise to the top for the number of records breached.
The most “successful” gangs with their attacks on healthcare providers
Interlock accounts for the most breached records across healthcare providers with 2,735,407 records breached in total. Most of these stem from its attack on DaVita (as seen above) but breaches were confirmed by three other US entities—Texas Digestive Specialists (44,579 affected), Kettering Health (placeholder of 501), and Naper Grove Vision Care (placeholder of 501).
Nova came second with 941,180 records breached. Again, most stem from one attack (Clinical Diagnostics) but 180 were also breached via the Spanish mental health group, Pere Claver Grup.
BianLian came third. All five of its confirmed attacks on US healthcare companies resulted in breaches. As well as the attacks on Goshen Medical Center and Medical Associates of Brevard, LLC mentioned above, it also claimed attacks on Alabama Ophthalmology Associates (131,576 affected), Sonrisas Dental Health (15,644 affected), and Minnesota Orthodontics (placeholder of 501).
Qilin claims it stole the most data, over 11.1 TB in total. A large chunk of this (8 TB) came from its attack on Israel’s Shamir Medical Center. Reports said Qilin demanded $700,000 for the data to be deleted.
The most “successful” gangs with their attacks on healthcare businesses
Despite only claiming one attack on a healthcare organization, Van Helsing had the biggest attack by records affected. It took credit for the attack on Australia’s Compumedics Limited, in which over 320,000 people are confirmed to have been notified—so far.
KillSec came second with nearly 241,000 records affected across its attacks. All of these arise from its attack on Ocuco Limited, Ireland.
INC also claims it stole the most data in this category, over 20.1 TB in total. Most of this came from a claim on Singular Genomics and Deerfield Management, which has yet to be confirmed by company.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.
