Comparitech disclosed that in the first nine months of 2025, 293 ransomware attacks were recorded on hospitals, clinics, and other direct care providers. An additional 130 attacks targeted businesses within the healthcare sector, including pharmaceutical manufacturers, medical billing providers, and healthcare tech companies. Attacks on healthcare providers mirrored the figures from 2024 during the same period, while attacks on healthcare businesses rose by 30%.
Rebecca Moody, head of data research at Comparitech, attributed the rise in ransomware attacks on healthcare businesses in 2025 to the increasing frequency of attacks on healthcare providers in recent years, according to a Thursday news post.
“From the 2024 attack on Ascension in the US, which saw nearly 5.6 million records breached, to the crippling 2024 attack on UK-based Synnovis, which saw Qilin demand a US$50 million ransom, there have been many high-profile attacks on this sector,” according to Moody. “This has raised awareness of the threat of ransomware in healthcare, which, in turn, may have spurred organizations into action. For example, providers may have worked to make sure systems are up to date, employees have received cybersecurity training, regular backups are stored, and so on.”
Secondly, she detailed that healthcare businesses often deal with multiple healthcare providers, whether that’s through the processing of vast amounts of data, such as payment service providers, or shared systems like technology vendors.
“These give hackers access to a larger number of organizations through one central target, thus increasing the scope of the ensuing data breaches,” Moody wrote. “Attacks on healthcare providers have declined, but they now face ransomware threats from a different angle—the third-party contractors they enlist to carry out various services.”
Across the 423 attacks, Comparitech noted on healthcare providers and businesses, the US saw the highest number of these, with 257 in total. 74 of these were confirmed, with 63 on providers and 11 on businesses. Australia, Germany, and the United Kingdom followed with 15, 13, and 12 attacks, respectively. These top four remain the same for attacks on healthcare providers only, but the top targeted countries change when it comes to healthcare businesses. Here, the US remains top with 65 attacks in total, but is followed by Italy (7) and India (6).
The lower attack figures in all countries except the US make it challenging to directly compare Q1 to Q3 of 2024 with the same period in 2025, especially considering that many attacks are confirmed months after the event.
Moody mentioned one country defying the trend among healthcare providers is Australia, which experienced a significant increase of 67% in its overall attack numbers. In 2025, 15 attacks were logged, compared to nine during the same period in 2024. Attacks on healthcare providers surged by 83%, rising from six in 2024 to 11 in 2025, while attacks on healthcare businesses grew slightly from three to four.
In the U.S., the total number of healthcare-related attacks during Q1 to Q3 of 2024 was 252. The 2025 figure of 257 is only marginally higher. Attacks on healthcare businesses rose by 51%, from 43 in 2024 to 65 in 2025. However, attacks on healthcare providers decreased by 8%, from 209 in 2024 to 192 in 2025.
Key findings for Q1-Q3 2025 ransomware attacks on the healthcare sector reveal a total of 293 attacks on healthcare providers. Of these, 94 were confirmed, and 199 were unconfirmed. The confirmed attacks resulted in the breach of 7,422,608 records, with an average ransom demand of $514,000.
The most prolific ransomware strains targeting healthcare providers included INC (39 attacks), Qilin (34), SafePay (21), RansomHub (13), and Medusa (13). INC led with the highest number of confirmed attacks (15), followed by Qilin (14), Medusa (8), RansomHub (6), and BianLian (5).
For healthcare businesses, there were 130 total attacks, with 23 confirmed and 107 unconfirmed. These confirmed attacks breached 6,049,434 records, with an average ransom demand of $532,000.
Here, the most common ransomware strains against healthcare businesses were Qilin (19 attacks), KillSec (12), Akira (10), INC (9), and SafePay (7). Among these, Qilin had the highest number of confirmed attacks (4), followed by KillSec, Akira, and RansomHub, each with 2 confirmed attacks.
INC emerged as the most active ransomware strain targeting healthcare providers in 2025, while Qilin dominated attacks against healthcare businesses. However, when success is measured by the volume of data stolen rather than the number of incidents, several other ransomware groups stand out for the scale of their breaches.
Interlock was responsible for the largest number of compromised records among healthcare providers, with a total of 2,735,407 records breached. Most of these stemmed from its attack on DaVita, alongside confirmed breaches affecting Texas Digestive Specialists (44,579 records), Kettering Health, and Naper Grove Vision Care.
Nova ranked second, breaching 941,180 records in total. The majority came from its attack on Clinical Diagnostics, with an additional breach of 180 records tied to the Spanish mental health organization Pere Claver Grup.
BianLian placed third, with all five of its confirmed attacks on U.S. healthcare companies resulting in data exposure. In addition to targeting Goshen Medical Center and Medical Associates of Brevard, the group claimed responsibility for attacks on Alabama Ophthalmology Associates (131,576 records), Sonrisas Dental Health (15,644 records), and Minnesota Orthodontics.
Qilin claimed to have stolen the largest volume of data overall—more than 11.1 terabytes. Roughly 8 terabytes of that total came from its attack on Israel’s Shamir Medical Center, for which the group reportedly demanded a $700,000 ransom in exchange for data deletion.
“Despite only claiming one attack on a healthcare organization, Van Helsing had the biggest attack by records affected. It took credit for the attack on Australia’s Compumedics Limited, in which over 320,000 people are confirmed to have been notified—so far,” Moody said. “KillSec came second with nearly 241,000 records affected across its attacks. All of these arise from its attack on Ocuco Limited, Ireland.”
She added that INC also claims it stole the most data in this category, over 20.1 TB in total. “Most of this came from a claim on Singular Genomics and Deerfield Management, which has yet to be confirmed by company.”
Earlier this month, Comparitech reported 5,186 ransomware attacks worldwide so far in 2025, marking a 36% increase from the 3,810 incidents recorded during the same period in 2024. The third quarter saw a further 6% rise over the previous quarter, with attacks climbing from 1,434 to 1,517, including 158 confirmed cases. The surge, however, has not been consistent across all sectors. Attacks on the education sector increased by just 5%, while incidents targeting the healthcare sector declined by 2%.
