Ransomware in Healthcare 2026: The Attack Timeline From First Access to Encrypted Records
Table des matières
In April 2025, the Interlock ransomware group published data stolen from DaVita on their dark web leak site. DaVita operates more than 2,600 kidney dialysis centers across the United States, providing life-sustaining treatment to patients whose survival depends on regular access to care. According to HIPAA Journal, the group had access to DaVita systems from March 24 to April 12, 2025, a 19-day window during which they accessed a laboratory database containing the protected health information of 2,689,826 individuals, including demographic, clinical and tax information. DaVita confirmed that critical patient care was maintained throughout the incident. The data, however, was already gone.
That last sentence is what most US healthcare incident response plans are not built around.
Why US healthcare is the primary ransomware target in 2026
Ransomware groups launched 1,174 publicly disclosed attacks in 2025, a 49% year-over-year increase, with 22% targeting medical organisations, the highest concentration of any single sector globally. The FBI IC3 2024 Annual Report recorded 460 ransomware incidents specifically in US healthcare and public health, more than any other critical infrastructure subsector. The most active groups against US providers in 2025 were Qilin, INC Ransom, Akira, RansomHub and Interlock.
The targeting logic is straightforward. US hospitals cannot pause clinical operations while a ransomware negotiation plays out. Every hour an electronic health record system is offline, clinicians work blind on medication histories, allergies and imaging results. Emergency departments activate diversion protocols and send ambulances elsewhere. Pharmacies revert to paper. Average US healthcare downtime costs $900,000 per day, creating operational leverage that no other sector faces at the same intensity.
The shift in attack tactics in 2025 made this worse. Encryption rates in US healthcare fell to 34% of incidents in 2025, from 74% the previous year, while extortion-only attacks tripled to 12% of cases, according to Sophos. Attackers are stealing data before encrypting it, or skipping encryption entirely, because US patient records are sensitive enough to generate ransom pressure without the operational noise of a full encryption event. US healthcare organisations that have solved their backup problem have not solved their ransomware problem.
The attack timeline, stage by stage
The attacker was inside before your MFA was even relevant (Days 0 to 1)
The Change Healthcare attack, the largest healthcare data breach in US history affecting 190 million Americans, began through a single Citrix server that lacked multi-factor authentication. The attacker authenticated using valid credentials obtained through a prior infostealer infection, entering the environment as a legitimate user with no anomaly for any internal tool to detect. In 2025, 32% of US ransomware attacks began with exploited vulnerabilities in unpatched VPN appliances or edge devices, and 23% used stolen credentials obtained through infostealers or phishing. US healthcare environments are disproportionately exposed on both vectors: legacy clinical systems that cannot be patched without taking equipment offline, and large non-technical workforces that are reliable phishing targets.
The detection window that most US healthcare organisations are not using exists before the attacker reaches the network. Stolen credentials do not appear on dark web markets the same day they are used in an intrusion. They circulate on platforms like Russian Market and 2easy for days or weeks following an infostealer infection, available for purchase before any attack is attempted. External credential monitoring gives US security teams an advance warning window between theft and intrusion that no internal tool provides. Change Healthcare’s credentials were available before anyone at the company knew they had been taken, and that window was the missed opportunity.
Three days of silence while they map everything you own (Days 1 to 3)
Once inside a US hospital or health system network, ransomware groups spend one to three days in a reconnaissance phase before touching anything clinical. They identify domain controllers, backup infrastructure, EHR systems, clinical device networks and the administrative accounts that carry the access they need to deploy ransomware at scale. Common tactics across US healthcare attacks include social engineering of IT help desks, rapid privilege escalation, targeted exports from EHR and imaging systems, and SQL database dumps of patient and payer records.
Living-off-the-land techniques dominate this phase. Attackers use built-in Windows utilities, PsExec, WMI, PowerShell and RDP, rather than custom malware that endpoint tools would flag. The only reliable detection mechanism is behavioural: an administrative credential accessing clinical systems it has never previously accessed, at 2am, across several consecutive nights. Signature-based endpoint tools generate no alert because nothing unusual has been introduced to the network. This is why the average US healthcare breach takes 279 days to identify.
Your backups do not matter at this point (Days 2 to 4)
The data exfiltration phase changed fundamentally in 2025, and most US healthcare security strategies have not updated to reflect it. By mid-2025, approximately three-quarters of ransomware cases against US healthcare organisations included data exfiltration prior to or instead of encryption. For the Episource attack, a UnitedHealth Group subsidiary providing medical coding and risk adjustment services, the attacker accessed an AWS environment from January 27 to February 6, 2025, and exfiltrated files containing the PHI of 5,418,866 individuals across multiple US provider clients including Sharp HealthCare in California. Episource’s backup infrastructure was irrelevant to the outcome because the data left the network before any encryption event occurred.
The practical implication for US healthcare CISOs is direct. A HIPAA-compliant backup architecture that restores clinical systems in 48 hours does not undo the exfiltration of 5.4 million US patient records. It does not prevent the extortion demand that follows. It does not eliminate the HHS OCR investigation, the class action exposure under state privacy laws or the patient notification obligations under HITECH. Backups solve the availability problem. They do not address the data theft that now precedes encryption in three-quarters of US healthcare ransomware cases.
They found your backups on day three. They deleted them on day four. (Days 3 to 4)
Backup repositories are targeted in 96% of ransomware attacks and successfully compromised in 76% of cases. US organisations with compromised backups face recovery costs eight times higher than those with intact ones. Recovery within one week is achieved by 46% of organisations with intact backups and only 26% of those whose backups were compromised. The most operationally sophisticated ransomware groups targeting US healthcare prioritise backup deletion specifically because a provider that cannot restore systems quickly faces pressure to pay regardless of their stated policy on ransom payments.
Immutable offline backups stored in a location that cannot be accessed through the same administrative credentials the attacker already holds are the specific architectural control that separates a three-day recovery from a three-month one. The gap between this recommendation and its implementation across US healthcare is where the $7.42 million average breach cost lives.
Encryption is the least of your problems by now (Day 4 to 5)
When encryption does occur, the operational impact on a US hospital network is immediate and severe. EHR access disappears. Pharmacy barcode scanning goes offline. Diagnostic imaging queues. Emergency departments activate diversion protocols and ambulances are redirected to facilities already absorbing displaced patient volume. Clinical staff revert to paper records and manual medication reconciliation under conditions they have frequently not rehearsed. Frederick Health in Maryland experienced this in January 2025, with its attack affecting over 934,000 US patients, cancelling appointments and disrupting operations across multiple facilities.
Average ransom demands on US healthcare providers were $615,000 in 2025, significantly below the total financial exposure the incident creates. UnitedHealth Group reported $3.09 billion in direct response costs from the Change Healthcare attack through the first nine months of 2024, and provided over $9 billion in advance funding to downstream US providers to keep the healthcare payment ecosystem solvent while systems were offline. The ransom figure is consistently the smallest component of total incident cost. This is why the FBI consistently advises US healthcare organisations against paying: it funds future attacks, provides no enforceable guarantee of data deletion, and does not reduce the operational cost of the incident itself.
Where the detection opportunities are
The 279-day average US healthcare breach lifecycle is not inevitable. It reflects the gap between when attackers are active in a network and when conventional security tools detect them. Every day of that gap is a day during which more PHI is at risk, more systems are accessible and the eventual recovery is more expensive.
| Attack stage | What US security teams miss | What closes the gap |
|---|---|---|
| Accès initial | Credentials stolen via infostealer before they are used. Authentication logs show a successful login with no anomaly flagged. | Dark web credential monitoring: detects US employee and vendor credentials on criminal markets before they are used in an intrusion |
| Mouvement latéral | Living-off-the-land techniques using built-in Windows tools. No new malware. No EDR signature match. | Behavioural anomaly detection on identity and authentication logs. Admin credentials accessing clinical systems at unusual hours. |
| Data exfiltration | Cloud sync utilities moving PHI to attacker-controlled AWS or Azure storage blend with legitimate US healthcare cloud traffic. | DLP with cloud egress monitoring. Unusual volume transfers to unrecognised endpoints outside normal clinical or billing workflows. |
| Backup targeting | Attacker uses compromised admin credentials to access backup systems. Indistinguishable from authorised access in SIEM logs. | Immutable offline backup architecture. Privilege separation between backup administrator access and production network credentials. |
| Cryptage | Most US EDR tools generate their first alert here, 4 to 5 days after initial access. Detection at this stage means recovery, not prevention. | Everything above. By the time encryption begins, the breach has occurred. The only question is how expensive the recovery will be. |
The single highest-leverage control across every stage of the US healthcare ransomware attack chain is external visibility into the credential exposure that precedes most intrusions. CybelAngel’s credential intelligence monitors dark web markets and infostealer log repositories continuously, alerting US healthcare security teams when employee or vendor credentials appear in criminal infrastructure before they are used in an active attack. Change Healthcare’s credentials were available on dark web markets before the intrusion began. An alert at that point changes the outcome entirely.
For the third-party and vendor dimension, which the Episource breach and Change Healthcare attack demonstrate is now the primary attack surface for US healthcare, CybelAngel’s third-party risk management capabilities provide the external visibility into vendor security posture that HIPAA Business Associate Agreement obligations require but internal monitoring cannot deliver. Most US healthcare security teams are watching their own perimeter. The attacks are coming through the vendors they are not watching.
Frequently asked questions
Because three-quarters of US healthcare ransomware attacks in 2025 included data exfiltration before or instead of encryption. Backups restore your systems. They do not recover patient records that have already left your network. The Episource attack exfiltrated the PHI of 5.4 million individuals from an AWS environment over 11 days before any encryption occurred. Backup architecture was irrelevant to the outcome. HHS OCR investigation, HITECH notification obligations, class action exposure and reputational damage all followed regardless of how quickly systems were restored. And backup repositories are targeted in 96% of attacks and successfully compromised in 76% of cases, your backups may not be as intact as you believe when you need them.
Valid credentials used from an unusual location, at an unusual time, accessing systems the account has never previously touched are detectable signals in authentication and identity logs, if you are running behavioural detection against them. What most US healthcare organisations are not doing is monitoring the upstream event: the infostealer infection that produced those credentials. Stolen credentials circulate on dark web markets for days or weeks before they are used in an intrusion. External credential monitoring catches the credential at the point of criminal sale, not the point of use, giving security teams a remediation window before any login attempt occurs.
Yes. HIPAA Business Associate Agreement requirements make US covered entities responsible for ensuring vendors maintain adequate safeguards for PHI they process on their behalf. The Episource breach affected Sharp HealthCare and multiple other US provider clients who were not directly compromised but faced notification obligations, regulatory scrutiny and reputational consequences. HHS OCR enforcement intensified in 2025 with 8 of 14 enforcement actions directly involving ransomware attacks. The proposed 2026 HIPAA Security Rule update would make vendor security assessment and ongoing monitoring an explicit documented requirement. Waiting for the final rule to build the programme is the compliance gap OCR is specifically targeting in current enforcement activity.
Longer than most US healthcare incident response plans assume. The average US healthcare ransomware incident results in approximately 24 days of downtime. Recovery within one week is achieved by 46% of organisations with intact backups and only 26% of those without. Frederick Health in Maryland took weeks to restore full operations after its January 2025 attack affecting 934,000 patients. Recovery speed is determined by two variables above all others: whether backup repositories are intact and offline, and whether clinical downtime procedures have been rehearsed before the attack occurs. Untested downtime procedures extend outages significantly because staff who have never practised paper-based clinical workflows under pressure take longer and make more errors than tabletop exercises predict.
The ransom demand is typically the smallest component of total financial exposure for a US healthcare organisation. Average US healthcare ransom demands were $615,000 in 2025. UnitedHealth Group’s total exposure from Change Healthcare exceeded $3 billion in direct response costs in the first nine months of 2024 alone, plus $9 billion in advance funding to downstream US providers. For a mid-size US health system, realistic total impact includes incident response and forensics, technology rebuild, clinical overtime, revenue leakage from diverted patients and cancelled procedures, HHS OCR investigation costs, class action litigation, cyber insurance premium increases and reputational impact on patient volume. Total exposure routinely runs between $50 million and $200 million. The ransom is a fraction of that figure.
CybelAngel monitors the external threat surface that internal security tools cannot see: dark web markets where US employee and vendor credentials are sold after infostealer infections, criminal forums where ransomware groups discuss US healthcare targets before launching campaigns, exposed vendor systems and third-party infrastructure that creates indirect access paths into your network, and data leak sites where stolen US patient records are published when ransom demands are not met. The platform delivers specific, analyst-validated alerts, which credential, which market, which vendor, which exposure, rather than raw threat feeds that require internal teams to investigate before acting. In a sector where the average breach takes 279 days to detect internally, that external detection window is where the outcome of the incident is determined
À propos de l'auteur
