Three Major Ransomware Attacks Strike Healthcare Sector in Early 2025, Exposing Sensitive Patient Data
In early 2025, three prominent healthcare organizations fell victim to ransomware attacks, compromising the personal and medical data of hundreds of thousands of individuals. The incidents highlight the sector’s persistent vulnerability to cyber threats, with attackers exploiting weak security controls to gain privileged access and maximize disruption.
Alabama Ophthalmology Associates (AOA)
Between January 22 and January 30, 2025, an unknown threat actor accessed and exfiltrated sensitive data from AOA, affecting 131,576 current and former patients. The compromised information included names, addresses, dates of birth, Social Security numbers, driver’s license details, medical records, and health insurance data though not all individuals had every type of data exposed. The BianLian ransomware group later claimed responsibility for the attack. AOA completed its forensic review on March 19 and began notifying affected parties shortly after.
Bell Ambulance
Wisconsin-based Bell Ambulance, which handles over 120,000 emergency calls annually, detected a ransomware incident on February 13, 2025. An investigation confirmed that an unauthorized actor accessed patient data, potentially exposing names, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical information, and health insurance records. The Medusa ransomware gang claimed the attack in March, and the breach ultimately impacted 114,000 individuals.
DaVita
A global dialysis provider with approximately 3,000 outpatient centers, DaVita disclosed a ransomware attack on April 12, 2025, after discovering the intrusion on January 30. The attack encrypted certain on-premises systems, though the company did not specify the extent of data exposure. The identity of the ransomware group behind the attack remains unconfirmed.
Broader Impact on Healthcare
These incidents reflect a troubling trend: healthcare remains a prime target for ransomware groups due to the high value of patient data and the sector’s reliance on interconnected, mission-critical systems. According to threat analysts, healthcare accounts for roughly 10% of all ransomware cases handled by incident response teams, with attackers frequently leveraging weak perimeter defenses and inadequate network segmentation to escalate privileges.
The attacks follow the high-profile breach of Change Healthcare in 2024, which disrupted payment systems and care delivery nationwide. Experts emphasize that basic security measures such as multifactor authentication, strong passwords, and network segmentation remain critical in mitigating such threats. Despite advancements in cybersecurity, many organizations continue to struggle with implementing fundamental protections, leaving them exposed to increasingly aggressive ransomware campaigns.
Source: https://www.darkreading.com/cyberattacks-data-breaches/healthcare-orgs-hit-ransomeware-attacks
Bellwether Analytics cybersecurity rating report: https://www.rankiteo.com/company/bellwether-analytics
"id": "BEL1768613724",
"linkid": "bellwether-analytics",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '131,576',
'industry': 'Healthcare',
'location': 'Alabama, USA',
'name': 'Alabama Ophthalmology Associates (AOA)',
'type': 'Healthcare Provider'},
{'customers_affected': '114,000',
'industry': 'Healthcare',
'location': 'Wisconsin, USA',
'name': 'Bell Ambulance',
'type': 'Ambulance Service Provider'},
{'industry': 'Healthcare',
'location': 'Global',
'name': 'DaVita',
'size': 'Approximately 3,000 outpatient centers',
'type': 'Dialysis Provider'}],
'attack_vector': 'Exploiting weak security controls and inadequate network '
'segmentation',
'customer_advisories': 'Notifying affected parties',
'data_breach': {'data_encryption': 'Yes (for DaVita)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': ['131,576', '114,000', None],
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names, addresses, dates of '
'birth, Social Security numbers, '
'driver’s license details, '
'medical records, health '
'insurance data',
'Names, dates of birth, Social '
'Security numbers, driver’s '
'license numbers, financial '
'account details, medical '
'information, health insurance '
'records',
None]},
'date_detected': ['2025-01-22', '2025-02-13', '2025-01-30'],
'date_publicly_disclosed': ['2025-03-19', '2025-04-12'],
'description': 'In early 2025, three prominent healthcare organizations fell '
'victim to ransomware attacks, compromising the personal and '
'medical data of hundreds of thousands of individuals. The '
'incidents highlight the sector’s persistent vulnerability to '
'cyber threats, with attackers exploiting weak security '
'controls to gain privileged access and maximize disruption.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Personal and medical data of hundreds of '
'thousands of individuals',
'identity_theft_risk': 'High',
'operational_impact': 'Disruption of emergency services and care '
'delivery',
'payment_information_risk': 'High',
'systems_affected': 'On-premises systems, interconnected '
'mission-critical systems'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Healthcare remains a prime target for ransomware groups '
'due to the high value of patient data and reliance on '
'interconnected systems. Basic security measures such as '
'multifactor authentication, strong passwords, and network '
'segmentation are critical in mitigating threats.',
'motivation': 'Financial gain, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Implement multifactor '
'authentication, strong '
'passwords, network '
'segmentation, and enhanced '
'monitoring',
'root_causes': 'Weak perimeter defenses, '
'inadequate network segmentation, '
'lack of fundamental security '
'protections'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': ['BianLian', 'Medusa', None]},
'recommendations': 'Implement multifactor authentication, strong passwords, '
'network segmentation, and enhanced monitoring to mitigate '
'ransomware threats.',
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Notifying affected parties'},
'threat_actor': ['BianLian ransomware group', 'Medusa ransomware gang'],
'title': 'Three Major Ransomware Attacks Strike Healthcare Sector in Early '
'2025, Exposing Sensitive Patient Data',
'type': 'Ransomware',
'vulnerability_exploited': 'Weak perimeter defenses, inadequate network '
'segmentation'}