CYFIRMA reported that healthcare organizations are facing an increasingly hostile cyber threat environment, with ransomware emerging as the sector’s most significant risk. Over the past 90 days, healthcare accounted for 216 verified ransomware victims, representing 9.05% of ransomware victims globally and ranking the sector third among 14 industries. The report found that ransomware attacks against healthcare increased 8.5% quarter over quarter, with April alone recording 90 victims, well above the sector’s previous six-month average.
In a new report, CYFIRMA identified healthcare victims in 42 countries, up from 33 in the prior period, while 50 of 81 active ransomware gangs targeted healthcare organizations, highlighting broad criminal interest in hospitals, pharmaceutical firms, and specialized medicine providers. The report also warned that nation-state activity and supply chain risks are compounding the threat landscape. Healthcare organizations appeared in 10 of 33 observed advanced persistent threat (APT) campaigns, up from three of 19 campaigns in the previous reporting period. North Korea-linked Lazarus Group led observed activity, while Russia-, China-, and Iran-linked actors also targeted the sector.
The researchers further noted that web applications, operating systems, web portals, and access management platforms remain key targets as attackers pursue credential theft and patient data. The company further identified supply chain concentration as a defining structural risk, warning that breaches involving specialized healthcare IT providers can cascade across multiple hospitals and healthcare networks simultaneously, amplifying operational disruption and cyber exposure.
“Healthcare organizations did feature in 10 out of the 33 observed campaigns, which is a presence in 30% of all campaigns, an increase from the previous period, where healthcare organizations were present in 3 out of 19 campaigns, an increase in presence in 16% of observed campaigns,” CYFIRMA reported. “APT activity targeting Healthcare has been sustained. Most of the campaigns remain active and have been updated with new detection as recently as June.”
The research identified that out of the 81 gangs, 50 recorded victims in healthcare organizations in the last 90 days, representing a disturbing 62% participation. The chart shows only gangs with 2 or more victims. “The Gentlemen had the highest number of victims and a meaningful 11.7% share out of all their 240 victims in this industry. Genesis, Cmdorganization, Spacebears, and Anubis stand out as gangs with the highest shares of healthcare victims. Among gangs with more than 5 victims, on average, 13.7% of their victims are from this industry. That is about 1 in 7 victims.”
CYFIRMA reported that observed APT campaigns show a diverse nation-state actor mix this period. “North Korea-associated Lazarus Group leads with the highest number of observed campaigns, consistent with known DPRK targeting of healthcare organizations for both intelligence collection and financial objectives. Russia-linked Cozy Bear recorded two campaigns, notable given its known focus on healthcare and pharmaceutical research targets.”
Additionally, China-linked actors are represented through MISSION2074, Hafnium, Lotus Blossom, Stone Panda, APT27, and TICK. Iran-linked OilRig and Charming Kitten both feature alongside MISSION2025.
The report identified that web applications and operating systems account for the majority of observed attacks this period. Database management software and application security software each recorded single instances, consistent with threat actor interest in accessing patient data and undermining defensive tooling. Remaining targeted technologies, web portal software, office suites, and web access management software, are particularly relevant in a healthcare context, pointing to threat actor interest in credential access, internal communications, and patient-facing systems alongside core infrastructure.
Over the past 90 days, DeCYFIR and DeTCT platforms tracked 780 cyber incidents reported publicly, CYFIRMA disclosed. “We could identify the industry for 578 of these incidents (74%). The healthcare industry was detected in 21 incidents, which equals 3.63% of the incidents where we knew the industry, ranking 8th out of 14 industries.”
This comes as ShinyHunters dominated the data theft picture, responsible for the sector’s two largest confirmed breaches: DentaQuest (2.6 million records) and a broader Oracle PeopleSoft zero-day campaign in June, hitting over 100 organisations, with healthcare systems disproportionately exposed due to legacy ERP deployments. Novo Nordisk separately disclosed a breach of clinical trials data, which is of high value given the strategic worth of pre-publication pharmaceutical IP.
Ransomware caused direct care disruption on multiple occasions. A ChipSoft attack in April cascaded outages across multiple Dutch hospitals simultaneously, illustrating the multiplier risk of healthcare’s reliance on specialist IT vendors. The Qilin group’s 2023 attack on NHS blood transfusion services in London was still generating disruptions nearly two years on. West Pharmaceutical also disclosed a ransomware incident affecting operations in May.
On the nation-state side, Russia-attributed actors explicitly targeted Ukrainian hospitals and emergency services using newly discovered AgingFly malware. Separately, a Chinese state-linked actor was extradited and charged with espionage against COVID-19 vaccine research, confirming pharmaceutical IP remains a standing Chinese intelligence collection priority.
The quarter’s defining structural risk is supply chain concentration. Clinical IT consolidates around a small number of specialist providers, and a single vendor breach routes to multiple hospitals without those hospitals being individually targeted. That dynamic, more than any single actor or malware family, is likely to define healthcare’s threat landscape in the near term.
“Ransomware dominated observed activity, accounting for the majority of identified techniques and concentrated heavily in the last 30 days,” CYFIRMA detailed. “Wiper attacks appeared three times, also concentrated in the last 30 days, suggesting a notable shift toward destructive attack methods in the most recent period. Social engineering appeared once in the first 30 days. The concentration of both ransomware and wiper attacks in the last 30 days is the most significant pattern, indicating an escalation in the severity of attacks against healthcare organizations toward the end of the reporting period.”
Looking ahead, CYFIRMA noted that the healthcare sector is expected to remain under intense ransomware pressure over the next 90 days, following an 8.5% quarter-on-quarter increase in victims and a sharp spike to 90 victims in April, signaling growing threat actor interest. If elevated attack activity continues, the sector could see between 220 and 260 victims, with healthcare accounting for an increasingly larger share of overall ransomware targeting.
Threat activity is broad and deliberate, with 50 of 81 active ransomware groups targeting healthcare and actors such as The Gentlemen, Qilin, DragonForce, and Gunra sustaining strong momentum. Hospitals, pharmaceutical firms, and specialized medicine remain the most exposed subsectors due to their operational criticality and sensitive data, while the U.S. accounts for 53% of victims. At the same time, attacks are expanding globally, with notable increases in India, Germany, Taiwan, and China, underscoring a widening international threat landscape.
