A new report from Forescout Technologies highlights a troubling surge in the frequency and impact of data breaches, with organizations of all sizes and across every industry under growing threat. Ransomware dominates as the leading cause, trailed by third-party compromises and phishing attacks. Healthcare organizations were hit especially hard, as nearly half of all breaches affecting more than 5,000 individuals in 2024 targeted the healthcare sector. The report identifies healthcare, financial services, and professional services as the three most heavily affected industries.
As of April 30, this year, the healthcare sector has reported 238 confirmed data breaches, compromising the personal information of more than 20 million individuals, Forescout mentioned in its Wednesday blog post. In 56 percent of these incidents, the data was stored on network servers, making them a primary target and underscoring the ongoing risk of insufficient segmentation and weak security controls. Healthcare remains the most affected industry, driven by the high black-market value of medical records and the sector’s dependence on outdated, fragmented systems that are notoriously difficult to defend against modern cyber threats.
Ransomware groups remain the driving force behind many of these incidents, but their tactics have evolved. Rather than relying solely on file encryption, many now use double extortion strategies: first stealing sensitive data, then encrypting systems to increase pressure on victims. Some threat actors have abandoned encryption entirely, opting instead to exfiltrate data and extort victims with the threat of public exposure.
The Forescout disclosure comes amidst reports that Kettering Health is responding to a suspected ransomware attack that disrupted hospital operations, limited access to patient care systems, and led to canceled elective procedures. Emergency services remain operational as the organization works to contain the breach and investigate the incident.
Forescout’s analysis of 734 data breaches in 2024, each affecting more than 5,000 individuals, reveals a staggering average of over two incidents daily. Ransomware was the top cause, followed by third-party system compromises, email compromises, and phishing. More than 90 percent of breaches occurred in the U.S., with Australia and the U.K. trailing behind.
The average HIPAA enforcement penalty in 2024 topped US$554,000. That year also saw 32 mega-breaches exposing data on more than 10 million people, along with 57 breaches impacting between 1 million and 10 million individuals. Another 342 breaches affected between 10,000 and 100,000 people.
The research dataset reveals an average of over 60 breaches per month, roughly two per. “Over 90% of these incidents affected entities in the US. This is partly due to the US-centric nature of our data sources, but also reflects a persistent trend: the US continues to be the most targeted country by ransomware operators and other threat actors. Australia and the UK were the second and third most affected countries, respectively. Collectively, these breaches affected a total of 2,447,878,758 identities – almost two and a half billion, averaging over three million individuals per incident.”
Forescout reported that out of 47 ransomware groups linked to breaches, a handful are responsible for the majority of the attacks. LockBit stands out as the most active, implicated in nearly 19 percent of analyzed breaches, underscoring its dominance and operational maturity. ALPHV/BlackCat and Clop follow closely, each involved in around 10 to 11 percent of cases, reflecting their growing influence in the ransomware-as-a-service ecosystem.
Karackurt, BianLian, and RansomHouse also appear prominently, each accounting for roughly 6 to 8 percent of incidents. Groups like 8Base, Snatch, and Akira show up with comparable frequency, indicating that lesser-known or recently rebranded actors are gaining traction. Royal, Play, and Vice Society round out the top twelve, each responsible for around 5 percent of breaches in the dataset.
This distribution highlights a key trend: while a few major players dominate, the ransomware threat landscape is far from monolithic. The presence of newer groups suggests ongoing fragmentation and innovation, which makes attribution harder and defense more complex. As ransomware tactics increasingly involve data exfiltration and double extortion, defenders must go beyond prevention and focus on comprehensive incident response, especially in environments where IT and OT (operational technology) systems converge.
Forescout reported that as of April 30, 2025, a total of 238 data breaches had been disclosed in the U.S. Department of Health and Human Services (HHS) breach portal, which requires mandatory reporting for any incident impacting more than 500 individuals. Of these breaches, only nine investigations had been concluded, while 229 were still under review.
Collectively, these incidents affected 20,627,232 individuals, averaging approximately 86,669 people per breach. Notably, four of the breaches each impacted over one million individuals. The majority of breaches, 74 percent, occurred at healthcare providers. Business associates accounted for 17 percent of the incidents, while health plans were responsible for the remaining 9 percent.
Several government and regulatory bodies offer practical guidance for preventing and responding to data breaches. Among the most widely used resources are CISA’s guidelines for breaches caused by ransomware, the FTC’s data breach response guide for businesses, and recommendations from the Australian Cyber Security Center. Building on these resources and insights from its research, Forescout outlines several key actions that healthcare and other organizations should take to reduce their risk of data breaches.
First, all sensitive data, including personally identifiable information (PII), protected health information (PHI), and financial data, should be encrypted in transit and at rest. Organizations must also identify and assess the risk exposure of all network-connected assets that store or process sensitive data. This includes servers, IT endpoints, networking equipment, OT, Internet of Things (IoT) devices, and medical devices. To support this effort, Vedere Labs has published an updated list of the riskiest connected devices as of 2025, along with specific guidance on securing medical devices.
All network-connected assets should be hardened by patching known vulnerabilities, changing weak or default credentials, and disabling unused services. Particular attention should be paid to critical assets that store or process sensitive data, as well as the systems that provide access to them, such as network infrastructure and domain controllers.
Organizations should implement multi-factor authentication (MFA) wherever feasible to limit the impact of credential-based attacks involving compromised data. Management interfaces of routers, firewalls, VPN appliances, and other network infrastructure should not be exposed to the internet, as these are frequent ransomware targets, particularly through recent and zero-day vulnerabilities.
To further protect sensitive systems, network segmentation and access controls should be applied to restrict both internal and external connectivity. Continuous monitoring of traffic to and from critical assets is essential to detect and respond quickly to signs of a data breach. Any attempts to exploit known vulnerabilities or signs of anomalous behavior should be promptly investigated.
Forescout has also published a dedicated guide to help detect the most common ransomware tactics, techniques, and procedures (TTPs), offering another layer of defense against these evolving threats.
As recommended mitigations, Forescout called upon organizations to encrypt sensitive data both in transit and at rest, with particular focus on protecting personally identifiable information (PII), protected health information (PHI), and financial data. They must also continuously identify and assess the risk and exposure of all network-connected assets that store or process sensitive data. Once identified, these assets must be hardened by applying available security patches, replacing weak or default credentials, and disabling any unnecessary services.
Network connectivity to systems that handle sensitive data should be tightly controlled through the use of network segmentation and network access control technologies. Finally, traffic to and from these critical assets should be actively monitored to detect and respond to potential breaches in real time.
