Ransomware Attacks on Healthcare Sector Remain High in 2025, with Shifts in Targets and Tactics
In the first nine months of 2025, Comparitech recorded 293 ransomware attacks on hospitals, clinics, and other direct healthcare providers matching 2024’s figures for the same period. However, attacks on healthcare businesses, including pharmaceutical manufacturers, medical billing firms, and tech vendors, surged by 30%, rising from 100 in 2024 to 130 in 2025.
Rebecca Moody, Comparitech’s head of data research, attributed the increase in attacks on healthcare businesses to heightened awareness following high-profile breaches in 2024, such as the Ascension attack (5.6 million records breached) and the Synnovis ransomware incident ($50 million ransom demand). While providers have bolstered defenses through updates, employee training, and backups hackers have pivoted to third-party vendors, exploiting shared systems and data-processing networks to access multiple organizations at once.
Geographic Breakdown
The U.S. remained the hardest-hit country, accounting for 257 attacks (63 on providers, 11 on businesses). Australia, Germany, and the U.K. followed, though their totals were significantly lower. For healthcare businesses, the U.S. led with 65 attacks, trailed by Italy (7) and India (6).
Australia defied the global trend, seeing a 67% increase in attacks from nine in 2024 to 15 in 2025 with healthcare providers bearing the brunt (an 83% rise).
Ransomware Strains and Impact
-
Healthcare Providers (293 attacks, 94 confirmed):
- Top strains: INC (39 attacks), Qilin (34), SafePay (21), RansomHub (13), Medusa (13).
- Confirmed breaches: 7.4 million records exposed, average ransom demand of $514,000.
- Largest breaches by records: Interlock (2.7M+ from DaVita), Nova (941K+ from Clinical Diagnostics), BianLian (multiple U.S. providers).
-
Healthcare Businesses (130 attacks, 23 confirmed):
- Top strains: Qilin (19 attacks), KillSec (12), Akira (10), INC (9), SafePay (7).
- Confirmed breaches: 6 million records exposed, average ransom demand of $532,000.
- Largest breaches by data volume: Qilin (11.1TB stolen, including 8TB from Israel’s Shamir Medical Center), INC (20.1TB claimed, unconfirmed).
Notably, Van Helsing caused the largest single breach by records, affecting 320,000 individuals in an attack on Australia’s Compumedics Limited. KillSec followed with 241,000 records compromised via Ireland’s Ocuco Limited.
Broader Trends
While global ransomware attacks rose 36% year-over-year in 2025, healthcare saw a 2% decline though this masks the shift toward supply-chain attacks targeting vendors. The education sector, by contrast, saw only a 5% increase, highlighting healthcare’s persistent vulnerability.
DaVita TPRM report: https://www.rankiteo.com/company/davita
Synnovis TPRM report: https://www.rankiteo.com/company/synnovis
BianLian TPRM report: https://www.rankiteo.com/company/cybrella
Compumedics Limited TPRM report: https://www.rankiteo.com/company/compumedics
Ocuco Limited TPRM report: https://www.rankiteo.com/company/ocuco
Ascension TPRM report: https://www.rankiteo.com/company/ascension
"id": "cybsyncomascdavocu1777037189",
"linkid": "cybrella, synnovis, compumedics, ascension, davita, ocuco",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5.6 million records breached',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Ascension',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'U.K.',
'name': 'Synnovis',
'type': 'Healthcare Business'},
{'customers_affected': '2.7M+ records breached',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'DaVita (Interlock)',
'type': 'Healthcare Provider'},
{'customers_affected': '941K+ records breached',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Nova (Clinical Diagnostics)',
'type': 'Healthcare Provider'},
{'customers_affected': '8TB of data exfiltrated',
'industry': 'Healthcare',
'location': 'Israel',
'name': 'Shamir Medical Center',
'type': 'Healthcare Provider'},
{'customers_affected': '320,000 individuals',
'industry': 'Healthcare',
'location': 'Australia',
'name': 'Compumedics Limited',
'type': 'Healthcare Business'},
{'customers_affected': '241,000 records compromised',
'industry': 'Healthcare',
'location': 'Ireland',
'name': 'Ocuco Limited',
'type': 'Healthcare Business'}],
'attack_vector': 'Supply-chain attacks, third-party vendors',
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': ['11.1TB (Qilin)',
'20.1TB (INC, unconfirmed)',
'8TB (Shamir Medical Center)'],
'number_of_records_exposed': ['7.4 million (providers)',
'6 million (businesses)'],
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Patient records',
'Medical data',
'Personally identifiable '
'information']},
'date_publicly_disclosed': '2025',
'description': 'In the first nine months of 2025, Comparitech recorded 293 '
'ransomware attacks on hospitals, clinics, and other direct '
'healthcare providers, matching 2024’s figures for the same '
'period. However, attacks on healthcare businesses, including '
'pharmaceutical manufacturers, medical billing firms, and tech '
'vendors, surged by 30%, rising from 100 in 2024 to 130 in '
'2025. Hackers have pivoted to third-party vendors, exploiting '
'shared systems and data-processing networks to access '
'multiple organizations at once.',
'impact': {'data_compromised': ['7.4 million records (providers)',
'6 million records (businesses)'],
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Third-party vendors, shared '
'systems'},
'lessons_learned': 'Healthcare providers have bolstered defenses through '
'updates, employee training, and backups, but hackers have '
'pivoted to third-party vendors, exploiting shared systems '
'and data-processing networks to access multiple '
'organizations at once.',
'motivation': 'Financial gain, data exfiltration',
'post_incident_analysis': {'root_causes': 'Exploitation of third-party '
'vendors, shared data-processing '
'networks'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': ['$514,000 (average for providers)',
'$532,000 (average for businesses)',
'$50 million (Synnovis)'],
'ransomware_strain': ['INC',
'Qilin',
'SafePay',
'RansomHub',
'Medusa',
'KillSec',
'Akira',
'Van Helsing',
'BianLian']},
'references': [{'date_accessed': '2025', 'source': 'Comparitech'}],
'threat_actor': ['INC',
'Qilin',
'SafePay',
'RansomHub',
'Medusa',
'KillSec',
'Akira',
'Van Helsing',
'BianLian'],
'title': 'Ransomware Attacks on Healthcare Sector in 2025',
'type': 'Ransomware'}