Cyfirma has released its latest industry report, highlighting the cybersecurity threats facing the global healthcare sector. Over the past 90 days, the company has identified 130 confirmed ransomware attacks, targeted the healthcare sector, placing the sixth targeted healthcare of 14 tracking sectors, accounting for 8.1% of 1,605 casualties across the industry. Pharmas and biotechnology, hospitals and clinics are the most frequent victims of ransomware in the industry, and primary and senior care are also frequently included.
Ransomware attacks in the healthcare sector are dominated by the US for-profit segment, with 70 of the 130 US-based victims based in the US, accounting for 54% of all cases. Australia and Canada each reported five casualties, while Italy and the UK each followed four. Despite the concentration in the US, geographical spread remains wide, with healthcare victims recorded in 33 countries in the past 90 days rising from the past 26.
This report provides original insights and data collateral analysis based on the company's unique threat telemetry, highlighting ransomware activity, phishing campaigns, and broader attack trends over the past three months. Packaged in visual infographic format, the report is part of a weekly series exploring one industry per quarter, aiming to arm organizations with timely sector-specific intelligence.
“In the last three months, Cyfirma Telemetry has identified 2,789 references from the healthcare industry out of a total of 57,633 industry references, from a total of 300K+ posts across various underground and dark web channels and forums.” In the same period, “The healthcare industry has not been significantly affected by advanced persistent threat (APT) campaigns. The healthcare industry is currently not a frequent goal for APT (advanced persistent threat) actors due to its relatively low strategic value in the state-sponsored cyber operations context.”
Also, unlike sectors such as defense, energy, and finance that hold sensitive geopolitical, economic, or technical data, healthcare organizations typically manage data with limited information or national security utilities. “Another factor is operational risk. Targeting the targets of health systems, particularly hospitals, can have reputational or diplomatic consequences, especially when life is at risk. Meanwhile, financially motivated actors like ransomware groups continue to exploit healthcare for fear tor. The focus around most APT campaigns.”
Monthly activities fluctuated over the past 180 days at elevation in March and February. The monthly breakdown of Cyfirma ransomware activities highlights what gangs have been consistently active and sporadically manifested. Qilin and Incransom maintained stable operation for three months, while groups like Everest surfaced only for a short time, recording victims in a month. Of the 76 tracked ransomware groups, they targeted 38 healthcare sectors in the last 90 days, marking a 50% participation rate. Qilin tops the list with 24 confirmed victims.
What stands out is the disproportionate share of the total victims of each gang that comes from the healthcare sector. Several groups have shown an emphasis on healthcare, suggesting that it may be a primary target rather than a secondary one.
Among the top five gangs, Qilin had 12.2% of attacks directed at healthcare, Incransom recorded 25.4%, and KillSec recorded 20%. Everest and Bianlian showed more sharp targeting in 57.1% and 60% of known victims in healthcare, respectively. Of the top 20 most active gangs, it recorded double-digit stocks of 12 total victims within the healthcare sector.
Earlier this month, Health-ISAC Heartbeat in the first quarter of 2025 revealed the ongoing patterns of cybersecurity incidents and data breaches affecting healthcare organizations over the past year. Ransomware activity temporarily declined in the third quarter of 2024, but rebounded in the fourth quarter and continued to rise in early 2025. VPN provider vulnerabilities and continued exposure to entitlement breach remained a persistent risk factor throughout the reporting period.
Cyfirma has identified that the threat of APT campaigns remains low as the healthcare industry is a peripheral target for APT hackers. The APT campaigns over the past 90 days have not been explicitly targeted this sector. This trend reflects the lowland political and strategic information values of the sector, particularly when compared to finance or defense. Additionally, targeting hospitals and critical health care systems involves reputation and diplomacy risks. This hinders state-sponsored operations unless it relates to specific research or pandemic surveillance.
With Healthcare ranked 8th in 4.84% of all dark web and underground chatterers over the past 90 days, Cyfirma recognizes moderate threat levels when it comes to dark web chattering in the underground. The mention of data breaches fell by 17%, but the chatter of data leaks has stabilized. Ransomware mentions remained consistently high and indicate a continuous threat. Hacktivism claimed it collapsed 82% and the hacking fell. DDOS activity was volatile but headed downwards. Web exploit mentions reduced by 73%, suggesting an improvement or change in the defensive attitude of attackers' priorities.
Similarly, we assessed moderate threat levels for vulnerabilities. Healthcare ranked 6th in detected CVEs, accounting for 6.39% of industry-related vulnerabilities. Injection attacks surged in March, possibly targeting the Electronic Health Record (EHR) system or patient portal. Remote Code Execution (RCE) remains a high-risk vector despite a slight reduction. Cross-site scripting (XSS) fell sharply, but memory/buffer defects probably increased due to aging infrastructure and medical device software. Denial of Service (DOS) vulnerability has also increased, and we collaborated with a modest DDOS threat profile.
Cyfirma rated the ransomware threat to healthcare as moderate. There have been 130 incidents in the last 90 days, and the sector ranked sixth in ransomware volume, down slightly from 132. Healthcare currently accounts for 8.1% of all recorded victims.
In April, Cyfirma delved into the manufacturing external threat landscape for the past three months, providing insights and data-driven statistics covering attack campaigns, phishing telemetry and ransomware incidents. The observed campaigns have been carried out by diverse threat actors, the most notable Chinese national state groups, and unidentified Vietnam, Thai, and English-speaking groups, suggesting that financial motivations are still prevalent in manufacturing.
