Ransomware Attacks on Healthcare Surge in H1 2026, Reaching New Highs
The first half of 2026 saw a sharp rise in ransomware attacks targeting the healthcare sector, averaging 2.3 incidents per day a 14% increase from the second half of 2025. A total of 410 attacks were recorded, with 247 striking hospitals, clinics, and direct care providers, while 163 hit healthcare-related businesses, including pharmaceutical manufacturers, medical billing firms, and tech companies.
Attacks on healthcare providers rose by 3%, but those on healthcare businesses surged by 35%, with medical device retailers and drug wholesalers experiencing the steepest increase (67%). Manufacturers saw a 36% rise, while healthcare tech firms faced a 12% uptick.
Key Findings
-
Healthcare Providers (247 attacks):
- 55 confirmed, 192 unconfirmed
- 424,740 records breached in confirmed attacks
- Median ransom demand: $310,000
- Top ransomware strains: Qilin (41 claims), The Gentlemen (31), LockBit (17), INC (15)
-
Healthcare Businesses (163 attacks):
- 22 confirmed, 141 unconfirmed
- 154,825 records breached in confirmed attacks
- Median ransom demand: $300,000
- Top ransomware strains: DragonForce (14), The Gentlemen (13), INC (12), Qilin (10)
Major Breaches in H1 2026
The largest incidents included:
- Unimed (Germany, April 2026) – 135,000 affected (data theft, possible ransom payment)
- Nippon Medical School Musashi Kosugi Hospital (Japan, February 2026) – 131,700 affected ($100M ransom demand, unpaid)
- Caribbean Medical Center (Puerto Rico, February 2026) – 92,000 affected (claimed by The Gentlemen)
- Lakelands Public Health (Canada, January 2026) – 60,000 affected (claimed by Lynx)
- Mt. Spokane Pediatrics (U.S., January 2026) – 32,021 affected (claimed by LockBit)
Most of these breaches occurred in January–March 2026, highlighting delays in public disclosure.
Ransom Demands & Payments
- Median demands were $310,000 (providers) and $300,000 (businesses).
- No official ransom payments were confirmed, though Unimed (Germany) is rumored to have paid.
- Nippon Medical School (Japan) rejected a $100M demand, the largest in H1 2026.
- TINYpulse (WebMD Health Services, U.S.) faced a $2M demand in June 2026 after 859MB of Nintendo employee data was stolen.
Geographic Trends
- U.S. (225 attacks) – Most targeted, though attacks on providers dropped 7%.
- Germany (18), India (17), Canada (15), Australia (12) – Significant increases, with India (+700%) and Canada (+83%) seeing the largest spikes.
- Japan, Brazil, Poland, New Zealand, and Colombia also saw notable attacks.
Dominant Ransomware Groups
- Qilin led attacks on providers, with 8 confirmed incidents (4 in the U.S., 2 in Germany).
- The Gentlemen targeted six organizations across Brazil, India, New Zealand, Poland, Puerto Rico, and Japan.
- DragonForce focused on healthcare businesses, including Kopran Ltd (Japan) and Reha-Activ (Germany).
Attack Confirmation Challenges
- Confirmed attacks require public disclosure or matching ransomware claims.
- Unconfirmed attacks (192 providers, 141 businesses) may involve undisclosed breaches or false claims.
- U.S. breach disclosure laws contribute to higher confirmation rates compared to other regions.
The data underscores a new normal of persistent ransomware threats in healthcare, with attackers increasingly targeting both providers and supporting businesses.
Kopran Ltd cybersecurity rating report: https://www.rankiteo.com/company/kopran-ltd
CHAS Health cybersecurity rating report: https://www.rankiteo.com/company/community-health-association-of-spokane
UnimedAR cybersecurity rating report: https://www.rankiteo.com/company/unimed
"id": "KOPCOMUNI1783607495",
"linkid": "kopran-ltd, community-health-association-of-spokane, unimed",
"type": "Ransomware",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': '135,000',
'industry': 'Healthcare',
'location': 'Germany',
'name': 'Unimed',
'type': 'Healthcare Provider'},
{'customers_affected': '131,700',
'industry': 'Healthcare',
'location': 'Japan',
'name': 'Nippon Medical School Musashi Kosugi Hospital',
'type': 'Healthcare Provider'},
{'customers_affected': '92,000',
'industry': 'Healthcare',
'location': 'Puerto Rico',
'name': 'Caribbean Medical Center',
'type': 'Healthcare Provider'},
{'customers_affected': '60,000',
'industry': 'Healthcare',
'location': 'Canada',
'name': 'Lakelands Public Health',
'type': 'Healthcare Provider'},
{'customers_affected': '32,021',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Mt. Spokane Pediatrics',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare Tech',
'location': 'U.S.',
'name': 'TINYpulse (WebMD Health Services)',
'type': 'Healthcare Business'},
{'industry': 'Pharmaceutical',
'location': 'Japan',
'name': 'Kopran Ltd',
'type': 'Healthcare Business'},
{'industry': 'Healthcare',
'location': 'Germany',
'name': 'Reha-Activ',
'type': 'Healthcare Business'}],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '579,565',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information, medical records'},
'date_detected': '2026-01-01',
'description': 'The first half of 2026 saw a sharp rise in ransomware attacks '
'targeting the healthcare sector, averaging 2.3 incidents per '
'day, a 14% increase from the second half of 2025. A total of '
'410 attacks were recorded, with 247 striking hospitals, '
'clinics, and direct care providers, while 163 hit '
'healthcare-related businesses, including pharmaceutical '
'manufacturers, medical billing firms, and tech companies.',
'impact': {'data_compromised': '579,565 records breached in confirmed attacks',
'identity_theft_risk': 'High'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The data underscores a new normal of persistent '
'ransomware threats in healthcare, with attackers '
'increasingly targeting both providers and supporting '
'businesses.',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': ['$310,000 (median for providers)',
'$300,000 (median for businesses)',
'$100M (Nippon Medical School)',
'$2M (TINYpulse)'],
'ransom_paid': 'Unconfirmed (rumored for Unimed)',
'ransomware_strain': ['Qilin',
'The Gentlemen',
'LockBit',
'INC',
'DragonForce',
'Lynx']},
'references': [{'date_accessed': '2026-06-30',
'source': 'Cyber Incident Report'}],
'threat_actor': ['Qilin',
'The Gentlemen',
'LockBit',
'INC',
'DragonForce',
'Lynx'],
'title': 'Ransomware Attacks on Healthcare Surge in H1 2026',
'type': 'Ransomware'}