Mt. Spokane Pediatrics, Unimed and Kopran Ltd: Healthcare Ransomware Roundup: H1 2026 stats on attacks, ransoms, and data breaches

Mt. Spokane Pediatrics, Unimed and Kopran Ltd: Healthcare Ransomware Roundup: H1 2026 stats on attacks, ransoms, and data breaches

Ransomware Attacks on Healthcare Surge in H1 2026, Reaching New Highs

The first half of 2026 saw a sharp rise in ransomware attacks targeting the healthcare sector, averaging 2.3 incidents per day a 14% increase from the second half of 2025. A total of 410 attacks were recorded, with 247 striking hospitals, clinics, and direct care providers, while 163 hit healthcare-related businesses, including pharmaceutical manufacturers, medical billing firms, and tech companies.

Attacks on healthcare providers rose by 3%, but those on healthcare businesses surged by 35%, with medical device retailers and drug wholesalers experiencing the steepest increase (67%). Manufacturers saw a 36% rise, while healthcare tech firms faced a 12% uptick.

Key Findings

  • Healthcare Providers (247 attacks):

    • 55 confirmed, 192 unconfirmed
    • 424,740 records breached in confirmed attacks
    • Median ransom demand: $310,000
    • Top ransomware strains: Qilin (41 claims), The Gentlemen (31), LockBit (17), INC (15)
  • Healthcare Businesses (163 attacks):

    • 22 confirmed, 141 unconfirmed
    • 154,825 records breached in confirmed attacks
    • Median ransom demand: $300,000
    • Top ransomware strains: DragonForce (14), The Gentlemen (13), INC (12), Qilin (10)

Major Breaches in H1 2026

The largest incidents included:

  • Unimed (Germany, April 2026) – 135,000 affected (data theft, possible ransom payment)
  • Nippon Medical School Musashi Kosugi Hospital (Japan, February 2026) – 131,700 affected ($100M ransom demand, unpaid)
  • Caribbean Medical Center (Puerto Rico, February 2026) – 92,000 affected (claimed by The Gentlemen)
  • Lakelands Public Health (Canada, January 2026) – 60,000 affected (claimed by Lynx)
  • Mt. Spokane Pediatrics (U.S., January 2026) – 32,021 affected (claimed by LockBit)

Most of these breaches occurred in January–March 2026, highlighting delays in public disclosure.

Ransom Demands & Payments

  • Median demands were $310,000 (providers) and $300,000 (businesses).
  • No official ransom payments were confirmed, though Unimed (Germany) is rumored to have paid.
  • Nippon Medical School (Japan) rejected a $100M demand, the largest in H1 2026.
  • TINYpulse (WebMD Health Services, U.S.) faced a $2M demand in June 2026 after 859MB of Nintendo employee data was stolen.

Geographic Trends

  • U.S. (225 attacks) – Most targeted, though attacks on providers dropped 7%.
  • Germany (18), India (17), Canada (15), Australia (12) – Significant increases, with India (+700%) and Canada (+83%) seeing the largest spikes.
  • Japan, Brazil, Poland, New Zealand, and Colombia also saw notable attacks.

Dominant Ransomware Groups

  • Qilin led attacks on providers, with 8 confirmed incidents (4 in the U.S., 2 in Germany).
  • The Gentlemen targeted six organizations across Brazil, India, New Zealand, Poland, Puerto Rico, and Japan.
  • DragonForce focused on healthcare businesses, including Kopran Ltd (Japan) and Reha-Activ (Germany).

Attack Confirmation Challenges

  • Confirmed attacks require public disclosure or matching ransomware claims.
  • Unconfirmed attacks (192 providers, 141 businesses) may involve undisclosed breaches or false claims.
  • U.S. breach disclosure laws contribute to higher confirmation rates compared to other regions.

The data underscores a new normal of persistent ransomware threats in healthcare, with attackers increasingly targeting both providers and supporting businesses.

Source: https://www.comparitech.com/news/healthcare-ransomware-roundup-h1-2026-stats-on-attacks-ransoms-and-data-breaches/

Kopran Ltd cybersecurity rating report: https://www.rankiteo.com/company/kopran-ltd

CHAS Health cybersecurity rating report: https://www.rankiteo.com/company/community-health-association-of-spokane

UnimedAR cybersecurity rating report: https://www.rankiteo.com/company/unimed

"id": "KOPCOMUNI1783607495",
"linkid": "kopran-ltd, community-health-association-of-spokane, unimed",
"type": "Ransomware",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': '135,000',
                        'industry': 'Healthcare',
                        'location': 'Germany',
                        'name': 'Unimed',
                        'type': 'Healthcare Provider'},
                       {'customers_affected': '131,700',
                        'industry': 'Healthcare',
                        'location': 'Japan',
                        'name': 'Nippon Medical School Musashi Kosugi Hospital',
                        'type': 'Healthcare Provider'},
                       {'customers_affected': '92,000',
                        'industry': 'Healthcare',
                        'location': 'Puerto Rico',
                        'name': 'Caribbean Medical Center',
                        'type': 'Healthcare Provider'},
                       {'customers_affected': '60,000',
                        'industry': 'Healthcare',
                        'location': 'Canada',
                        'name': 'Lakelands Public Health',
                        'type': 'Healthcare Provider'},
                       {'customers_affected': '32,021',
                        'industry': 'Healthcare',
                        'location': 'U.S.',
                        'name': 'Mt. Spokane Pediatrics',
                        'type': 'Healthcare Provider'},
                       {'industry': 'Healthcare Tech',
                        'location': 'U.S.',
                        'name': 'TINYpulse (WebMD Health Services)',
                        'type': 'Healthcare Business'},
                       {'industry': 'Pharmaceutical',
                        'location': 'Japan',
                        'name': 'Kopran Ltd',
                        'type': 'Healthcare Business'},
                       {'industry': 'Healthcare',
                        'location': 'Germany',
                        'name': 'Reha-Activ',
                        'type': 'Healthcare Business'}],
 'data_breach': {'data_encryption': 'Yes',
                 'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '579,565',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Personally identifiable '
                                             'information, medical records'},
 'date_detected': '2026-01-01',
 'description': 'The first half of 2026 saw a sharp rise in ransomware attacks '
                'targeting the healthcare sector, averaging 2.3 incidents per '
                'day, a 14% increase from the second half of 2025. A total of '
                '410 attacks were recorded, with 247 striking hospitals, '
                'clinics, and direct care providers, while 163 hit '
                'healthcare-related businesses, including pharmaceutical '
                'manufacturers, medical billing firms, and tech companies.',
 'impact': {'data_compromised': '579,565 records breached in confirmed attacks',
            'identity_theft_risk': 'High'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The data underscores a new normal of persistent '
                    'ransomware threats in healthcare, with attackers '
                    'increasingly targeting both providers and supporting '
                    'businesses.',
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransom_demanded': ['$310,000 (median for providers)',
                                    '$300,000 (median for businesses)',
                                    '$100M (Nippon Medical School)',
                                    '$2M (TINYpulse)'],
                'ransom_paid': 'Unconfirmed (rumored for Unimed)',
                'ransomware_strain': ['Qilin',
                                      'The Gentlemen',
                                      'LockBit',
                                      'INC',
                                      'DragonForce',
                                      'Lynx']},
 'references': [{'date_accessed': '2026-06-30',
                 'source': 'Cyber Incident Report'}],
 'threat_actor': ['Qilin',
                  'The Gentlemen',
                  'LockBit',
                  'INC',
                  'DragonForce',
                  'Lynx'],
 'title': 'Ransomware Attacks on Healthcare Surge in H1 2026',
 'type': 'Ransomware'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.