Healthcare Ransomware Statistics 2025: Latest Incidents, Costs, and Trends

Ransomware continued to pressure the health sector in 2025, but the economics and tactics shifted. The United States’ Health Care and Public Health sector logged 460 ransomware incidents with federal complaint centers, while independent trackers confirmed more than a hundred successful attacks on hospitals and clinics. At the same time, ransom demand reduction and lower payment rates reshaped outcomes, and the average healthcare data breach cost fell from prior-year highs. Below, you’ll find the ransomware incident rate, financial impact, leading breach causes, ransomware threat actors, and data exfiltration techniques that defined 2025.

Ransomware Attack Frequency and Distribution

U.S. tallies and sector distribution

In 2025, the Health Care and Public Health sector recorded 460 ransomware incidents via federal cybercrime reporting, underscoring healthcare’s outsized cyber incident targeting rate. Independent breach research also logged 134 confirmed ransomware attacks on U.S. providers (hospitals, clinics, and multi-specialty groups), illustrating that many cases never reach leak sites or public disclosure.

Providers vs. business associates

Attack frequency remained highest among provider organizations, but third-party and business associate exposure continued to amplify blast radius. Clearinghouses, billing, imaging, and specialty service vendors were frequent pivot points, turning a single intrusion into multi-entity disruption across referral networks and revenue cycle workflows.

Geography and timing

The U.S. remained the primary target globally. Activity ebbed and flowed by quarter—after a high-payment Q2, Q3 saw a notable volume dip in some trackers as groups recalibrated, followed by a late-year re-acceleration. Net result: steady pressure on clinical operations, scheduling, and EHR-adjacent systems throughout 2025.

Average Ransom Payment Analysis

Payment rates and amounts

The most dramatic swing arrived midyear: average ransom payments fell by roughly two-thirds (about 66%) from Q2 to Q3 2025 as more victims refused to pay or negotiated steep discounts. Across the year, survey-based data showed a 50% drop in the median ransom payment, a sign that incident response maturity and insurer scrutiny are taking hold.

Healthcare-specific benchmarks

Healthcare stood out for smaller payouts. The sector’s median paid ransom hovered near $150,000 in 2025—well below figures seen in manufacturing or government. Combined with higher refusal rates, this helped drive overall ransom demand reduction even as attackers raised initial asks in larger cases.

Data Breach Financial Impact

Average breach costs and where money goes

The average healthcare data breach cost settled around $7.42 million in 2025, down markedly from the prior year yet still the highest among all industries. The biggest cost buckets were detection and escalation, lost business, and post-breach response—together accounting for the majority of spend.

What drove savings in 2025

Shorter breach lifecycles, greater law-enforcement engagement, and wider use of security analytics helped compress recovery timelines. Organizations with strong backup validation and tabletop-tested playbooks reported fewer days of disruption and lower forensic, legal, and notification costs.

Leading Causes of Healthcare Breaches

System intrusion breach cause

“System Intrusion” remained the top breach pattern, reflecting multi-step compromises that include credential theft, lateral movement, and ransomware deployment. In healthcare, that pattern eclipsed prior leaders such as “Miscellaneous Errors,” aligning with the surge in extortion-driven tactics.

Initial access vectors

Initial footholds in 2025 clustered around a few repeatable entry points: phishing and social engineering, exploited vulnerabilities in edge and third-party software, stolen credentials traded by initial access brokers, and misconfigured remote access. Supply-chain exposures involving business associates magnified impact across multiple covered entities.

Healthcare Sector Cyberattack Share

Healthcare’s slice of global ransomware

Based on leak-site telemetry, healthcare accounted for roughly 7.4% of publicly claimed ransomware victims worldwide in 2025—more than one healthcare organization listed per day on average. Although a single-digit share, healthcare still ranked as the most targeted industry by victim count in several datasets, highlighting broad adversary focus on clinical uptime and sensitive data.

Prominent Ransomware Groups in Healthcare

Most active ransomware threat actors

Several ransomware-as-a-service crews featured prominently against healthcare in 2025. The most active included Qilin, INC Ransom, and RansomHub, with Akira, BianLian, LockBit, Play, SafePay, Medusa, and Rhysida also frequently named in provider and vendor incidents. Many campaigns leveraged double extortion and data-leak-site pressure to accelerate negotiations.

What their playbooks looked like

Across groups, common threads emerged: social engineering of IT and help desks, rapid privilege escalation, domain-wide backup targeting, and staged data exfiltration before encryption. Some affiliates ran “exfiltration-only” playbooks—skipping encryption entirely to compress dwell time and reduce noisy detection.

Trends in Data Exfiltration and Encryption

Exfiltration before encryption becomes default

By mid-2025, roughly three-quarters of observed cases included data exfiltration, typically executed before any encryption. In healthcare specifically, encryption success fell sharply, while extortion-only attacks tripled compared to earlier years. The net effect: more leak-site exposure risk even when EHR availability is preserved.

Data exfiltration techniques

• Stealth transfers using RDP, SFTP, and living-off-the-land tools (for example, archiving and staging to internal shares before exfiltration).
• Cloud sync utilities (such as rclone-like workflows) to shuttle PHI to attacker-controlled storage.
• Targeted exports from EHR, imaging, and claims systems; SQL dumps of patient and payer datasets.
• Use of infostealers to harvest VPN and identity tokens, then token replay to access SaaS and cloud file stores.

As organizations improved backup resilience and containment speed, actors leaned further into data theft, multi-extortion pressure, and threats to contact patients directly—tactics designed to raise leverage without relying on encryption.

FAQs

What was the total number of healthcare ransomware attacks in 2025?

In the United States, the Health Care and Public Health sector reported 460 ransomware incidents in 2025 through federal complaint channels. Independent trackers also confirmed more than a hundred successful attacks on U.S. providers, underscoring persistent risk across hospitals and clinics.

How much did average ransom payments decrease in 2025?

The steepest shift came midyear: average payments fell by about 66% from Q2 to Q3 2025. Looking at the full year, the median payment across all sectors decreased by roughly 50%, while healthcare’s median paid ransom was about $150,000—among the lowest by industry.

Which ransomware groups targeted healthcare the most in 2025?

Qilin, INC Ransom, and RansomHub were among the most active against healthcare in 2025, with Akira, BianLian, LockBit, Play, SafePay, Medusa, and Rhysida also frequently implicated. These ransomware threat actors relied heavily on double extortion and rapid data theft to pressure victims.

What percentage of ransomware attacks involved data exfiltration before encryption?

Approximately three-quarters of 2025 cases involved data exfiltration prior to or instead of encryption. In parallel, healthcare saw a notable rise in extortion-only incidents and a decline in successful encryption, reflecting better containment and backup strategies alongside evolving attacker playbooks.