EN
EN FR DE
Home | Blog | Why is U.S. healthcare facing a surge in ransomware attacks?

Why is U.S. healthcare facing a surge in ransomware attacks?

Written by: CybelAngel REACT

5 min readJanuary 30, 2026

This blog is a summary of our latest threat landscape report covering the U.S. healthcare sector. Between January 2025 and January 2026, the United States remained the most targeted country globally for cyberattacks, accounting for 18.3% of all claimed cyber incidents worldwide. Within this landscape, the healthcare sector has emerged as a primary target for extortion-driven threats, with ransomware accounting for approximately 67% of healthcare-targeted activity.

Our analysis reveals that healthcare organizations face repeat exposure from a concentrated group of operators and affiliates, making this sector particularly vulnerable to data-driven extortion. Interested in our full threat intelligence reporting? Get in touch with us to access this content.

Contact REACT

What makes the U.S. such an attractive target for cyber criminals?

The United States accounts for 18.3% of all claimed cyber incidents worldwide during the January 2025 to January 2026 period, making it the most targeted country in our observed dataset. Attack volumes against U.S.-based entities average approximately 650 claims per month, with a recorded peak of 898 incidents in February 2025.

A cross-year comparison indicates a material increase in overall activity levels in 2025, with approximately 30 to 40% more incidents than 2024. The increase appears volume-driven, with no evidence of a structural change in dominant attack types at the aggregate level.

The U.S. recorded approximately 6,111 ransomware and data breach claims, ranking first globally in absolute volume. This places the United States ahead of India (1,100+), Indonesia (989), and France (926) in terms of ransomware and extortion-related activity.

The February 2025 peak is particularly telling. This surge month was predominantly ransomware-led, reflecting intensified extortion activity rather than experimentation with alternative techniques. A significant portion of this spike is attributable to Cl0p, which claimed 237 U.S. victims in February, following bulk disclosures linked to prior exploitation of zero-day vulnerabilities in file transfer software.

Which sectors are being hit the hardest?

Sectoral distribution of ransomware and data breach activity affecting U.S. entities highlights a concentration in data-dense and operationally exposed verticals:

  • Financial services lead with 408 incidents (approximately 16.4%), reflecting high monetization potential
  • Building and construction follows with 355 incidents (approximately 14.3%), underscoring a strong attacker focus on distributed project ecosystems
  • Healthcare records 286 incidents (approximately 11.2%), where attackers leverage both sensitive data and high disruption pressure
  • Manufacturing (239 incidents; approximately 9.6%) and IT services (229 incidents; approximately 9.2%) further illustrate convergence between operational dependency and cyber risk

Legal services and education remain attractive due to high-value data and uneven security maturity, while government administration rounds out a landscape dominated by data-centric extortion.

Why is healthcare disproportionately targeted?

The U.S. healthcare sector recorded over 350 claimed attacks during the observed period. The attack-type distribution shows a higher concentration of extortion-related activity than the national baseline, with ransomware accounting for approximately 67% of healthcare incidents.

When combined, ransomware and data breach claims represent approximately 85% of U.S. healthcare-targeted activity, indicating a predominance of data-driven extortion models in this sector. This pattern reflects the sector’s dual exposure: high-value sensitive data (protected health information, insurance records, identity artifacts) combined with significant operational leverage, where even limited service disruption can have immediate real-world consequences.

Monthly healthcare incident counts in 2025 range from 24 incidents at the lowest point to 48 at peak, broadly aligning with national-level fluctuations rather than displaying strong sector-specific seasonality. Healthcare disruption activity led by hacktivists remains diffuse and opportunistic, with low actor concentration and limited evidence of sustained, healthcare-exclusive campaigns.

A notable exception occurred on March 24, 2025, when DieNet claimed five DDoS attacks against U.S. healthcare-related organizations, explicitly linking the activity to geopolitical events. Targets included EHR providers, a regional hospital, and a national EMS organization, illustrating how healthcare-adjacent digital infrastructure can become symbolic targets during geopolitical escalation.

What role do infostealers play in healthcare breaches?

When comparing infostealer-related compromise across high-interest sectors, the healthcare sector shows material exposure in 2025. The U.S. healthcare sector recorded over 12,300 compromised users and more than 550 affected employees in 2025.

While healthcare trails financial services (118,900+ users; 3,450+ employees) and government administration (37,300+ users; 540+ employees) in absolute user volume, it shows a broad organizational footprint, edging government in affected employees.

This recurring signal is more consistent with structural exposure than temporal noise, reflecting decentralized environments, SaaS dependence, third-party access, and credential reuse. In this context, infostealers likely function as an initial access vector, an access resale precursor, and a lateral movement enabler, increasing the likelihood of follow-on identity-driven intrusions once valid credentials are obtained.

Who are the most active threat actors targeting healthcare?

Healthcare ransomware activity is highly concentrated, with a limited number of operators accounting for a disproportionate share of incidents. Qilin alone represents over 15% (65 claims) of healthcare ransomware cases, signaling a clear leadership position within the sector.

This concentration suggests that healthcare organizations face repeat exposure from the same operators and affiliates, making actor-aware defense, early intrusion detection, and affiliate tradecraft monitoring particularly relevant.

Other active operators include INC Ransom (26 incidents) and Sinobi (20), both of which show a strong focus on U.S.-based healthcare targets. Cross-sector and cross-country analysis further indicates that healthcare consistently ranks among the top target verticals for these groups (2nd for Qilin and Sinobi, 1st for INC Ransom), reinforcing its status as a strategic extortion target within ransomware affiliate ecosystems.

Understanding Qilin’s operations

Qilin, also known as Agenda, operates a mature ransomware-as-a-service (RaaS) model and has demonstrated sustained operational capability since its emergence. The group employs affiliate-based operations, enabling variability in tradecraft, and uses ransomware payloads written in Go and Rust, supporting cross-platform deployment across Windows and Linux environments.

In 2025, Qilin was observed as one of the most active ransomware groups by number of publicly claimed victims. Among over 1,070 claimed victims in 2025, construction, financial services, and healthcare were the most represented sectors.

Claimed incidents indicate a primary focus on U.S.-based organizations, alongside a broader geographic distribution across North America and Europe. The volume of publicly claimed victims increased significantly toward the end of 2025, peaking in October through December. As of January 28, 2026, the group has added 92 new entities to its victim list, continuing prior month trends.

Based on consolidated observations across confirmed Qilin incidents, the group and its affiliates commonly leverage phishing campaigns, abuse of exposed remote access and edge services (such as RDP and VPN appliances), and exploitation of weak or reused credentials for initial access. Following compromise, they deploy ransomware payloads, use built-in administrative tools, and conduct credential dumping and privilege escalation prior to encryption. The group then executes file encryption across Windows and Linux environments and exfiltrates data prior to encryption to support double extortion.

What we cover in the full report

Our full threat landscape report covers the following areas of intelligence:

  • Complete analysis of U.S. targeting volume and macro-level observations
  • Detailed attack type and sectoral target distribution across all industries
  • Overview of main threat actors targeting the United States
  • U.S. healthcare sector threat landscape overview with monthly trends
  • Most active operators targeting the healthcare sector with victimology analysis
  • Comprehensive threat actor profile on Qilin, including tactics, techniques, and procedures
  • Infostealer-related credential compromise patterns specific to healthcare
  • DDoS and disruption activity affecting healthcare-adjacent infrastructure
  • Actionable recommendations for healthcare sector defense and resilience

The report also provides tactical intelligence on how threat vectors have evolved and recommendations for proactive monitoring and defense strategies specifically tailored to healthcare organizations.

Get in touch to access the full threat note

CybelAngel continues to monitor the U.S. healthcare threat environment closely. If your operations involve the healthcare sector or intersect with affected verticals, now is the time to assess third-party exposure, monitor credential compromise, and strengthen your defensive posture against extortion-driven threats. To request this note as a non-CybelAngel client, get in touch.

Get in touch

About the author

CybelAngel REACT

Orlaith is a senior content marketer at CybelAngel.

read all the articles