Listen to this Post
Cybersecurity Shocker: Healthcare No Longer the Prime Target
In a surprising turn for 2025, the healthcare industry has not faced the massive wave of ransomware attacks that experts feared. Despite its sensitive data and critical infrastructure, healthcare saw only a 4% increase in ransomware incidents in the first half of the year—starkly contrasting with the alarming 50% average spike across all sectors. According to new research by Comparitech, industries like technology, retail, legal, transportation, and government are being hit far harder, with some sectors reporting over 80% year-on-year increases. This changing threat landscape indicates that cybercriminals are shifting focus toward sectors seen as softer or more profitable targets. While this is a relative reprieve for hospitals and care providers, analysts warn the war is far from over.
Healthcare’s Quiet Year Compared to a Global Surge
In the first six months of 2025, Comparitech tracked 211 ransomware attacks on healthcare institutions, a marginal 4% rise from the same period in 2024. This is remarkably modest compared to skyrocketing attacks in tech and retail, both of which reported an 85% surge. Retail, in particular, has become a magnet for ransomware groups due to its decentralized systems and faster cash flow, making it more attractive to threat actors seeking quick payouts.
The study highlights how previous high-profile breaches, like the Change Healthcare and Synnovis incidents in 2024, have driven a wave of security investments across the healthcare sector. Hospitals, labs, and service providers have boosted their cyber defenses, closed long-standing vulnerabilities, and prioritized incident response planning. These improvements, while far from foolproof, appear to have deterred many attackers.
Interestingly, threat actors have adapted by targeting adjacent businesses that store massive volumes of medical data without offering direct patient care. This includes medical device companies and pharmaceutical manufacturers, who are often the backdoor into broader healthcare systems. The January 2025 breach of Episource, which compromised 5.4 million records, is a chilling example of this pivot.
Although healthcare isn’t the top target, it remains a favored hunting ground for some notorious gangs like Medusa, Qilin, and INC Ransom. Ransom demands have averaged \$479,000 this year—less than a third of what other industries face. Still, the stakes remain high. More than 2.3 million patient records were compromised in the first half of the year, with the worst single breach impacting nearly a million records at Frederick Health in January.
INC Ransom has taken the lead with 34 claimed attacks on healthcare entities, followed by Qilin with 25. Meanwhile, ransomware variants like SafePay, RansomHub, and Crazy Hunter also made their presence known, demanding ransoms as high as \$2 million. Despite this, healthcare organizations appear more reluctant to pay up. None of the confirmed cases involved ransom payments, and 10 entities explicitly refused to comply.
Most of the targeted institutions were based in the US, with 139 incidents, followed distantly by Australia (10) and the UK (7). While the healthcare sector has momentarily dodged the worst of the storm, experts caution that it remains vulnerable. The lull may be temporary, as attackers continue evolving their tactics and hunting for new ways in.
What Undercode Say:
Sector-Specific Shifts Signal Strategic Rethinking by Hackers
Ransomware groups have historically preyed on healthcare for its life-critical services and urgency-driven environments. But 2025 has shown a strategic recalibration. Criminal syndicates are becoming more calculated, favoring easier, higher-yield targets like retail and tech. This isn’t just about money—it’s about efficiency. Retail, for example, offers quicker payouts, fewer reporting requirements, and a greater variety of compromised systems to exploit.
Cybersecurity Investments Finally Paying Off
The restrained growth in healthcare ransomware attacks suggests that prior cyber incidents may have served as a wake-up call. High-profile breaches in 2024 spurred hospitals and healthcare vendors to invest more in threat monitoring, multi-factor authentication, data segmentation, and endpoint security. These upgrades are evidently making exploitation harder and less cost-effective for cybercriminals.
The New Backdoor: Data-Rich but Patient-Free Targets
Hackers are evolving. Instead of directly breaching hospitals with heavily fortified systems, they’re targeting third-party vendors that serve the sector—pharma companies, diagnostic tech firms, and medical device manufacturers. These businesses store vast healthcare data but may lack the same cyber maturity as hospitals. One compromise can cascade through the supply chain, giving attackers access to numerous care providers in one swoop.
Medusa and Qilin: Names to Watch
Among ransomware actors, Medusa and Qilin are becoming household names in the healthcare sphere. Together, they’re responsible for a significant chunk of known attacks and data breaches in H1 2025. Medusa’s \$2 million ransom demand from HCRG Care Group marked the year’s highest known healthcare-related demand. Qilin, meanwhile, exposed over 555,000 healthcare records. These groups are deploying more advanced tactics, from double extortion schemes to targeting cloud environments.
Ransom Demands Are Lower—But Not Gone
While the healthcare industry has seen lower average ransom demands, this doesn’t imply reduced risk. The lower figures may reflect negotiation dynamics or an attempt to increase the odds of payment. However, healthcare organizations have shown greater resistance to paying, which could force ransomware groups to escalate attacks or pivot again.
United States Remains the Primary Target
With two-thirds of ransomware incidents in healthcare affecting US-based entities, it’s clear that attackers view the American healthcare system as fertile ground. Complex networks, private-sector dominance, and vast patient databases all make US organizations prime targets. The disparity between the US and other countries like Australia or the UK suggests attackers are prioritizing regions with higher payout potential.
Unknown Ransoms Obscure the True Scale
Comparitech noted that ransom demands are underreported, often due to confidentiality, ongoing investigations, or non-disclosure agreements. This means the actual average ransom may be higher than current estimates. With pending figures from high-impact attacks at DaVita, Frederick Health, and Kettering Health, we could soon see a dramatic spike in the average demand.
A False Sense of Security Could Be Dangerous
The modest 4% increase in attacks may encourage complacency, but it shouldn’t. As cybersecurity improves in one area, attackers move to the next weak link. The evolving ransomware ecosystem means healthcare must stay proactive, not reactive. Endpoint detection, vendor risk management, and continuous employee training will be critical in staying ahead of threats.
🔍 Fact Checker Results:
✅ Ransomware attacks on healthcare increased by only 4% in H1 2025, compared to a 50% rise across all industries
✅ Medusa and Qilin are among the most active ransomware groups targeting healthcare in 2025
✅ Average ransom demand in healthcare (\$479K) remains significantly lower than the \$1.6M average in other sectors
📊 Prediction:
The second half of 2025 will likely bring a resurgence of ransomware attacks on healthcare—but not in traditional ways. Instead of hospitals, attackers will zero in on supply chain partners and third-party vendors with weaker defenses. Expect a spike in multi-victim breaches, as ransomware gangs aim for volume and leverage. Simultaneously, ransom demands may climb as unknown figures from major breaches are revealed. The temporary drop in attacks should not be mistaken for a long-term trend. Healthcare remains in the crosshairs—just from a different angle. 🏥💻🔒
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
