CYFIRMA has released its latest Industry Report, spotlighting cybersecurity threats facing the global healthcare sector. In the past 90 days, the firm identified 130 confirmed ransomware attacks targeting the healthcare sector, accounting for 8.1 percent of the 1,605 total victims across industries, placing healthcare as the sixth most-targeted among 14 tracked sectors. Pharma and biotech, hospitals, and clinics are the most frequent victims of ransomware in this industry, while primary care and senior care are also frequently targeted.
Ransomware attacks in the healthcare sector are dominated by the U.S. for-profit segment, with 70 out of 130 victims based in the U.S., accounting for 54 percent of all cases. Australia and Canada each reported five victims, while Italy and the U.K. followed with four each. Despite the concentration in the U.S., the geographic spread remains broad, with healthcare victims recorded in 33 countries over the past 90 days, up from 26 in the previous period.
The report offers original insights and data-backed analysis based on the firm’s proprietary threat telemetry, highlighting ransomware activity, phishing campaigns, and broader attack trends from the past three months. Packaged in a visual, infographic format, the report is part of a weekly series that explores one industry per quarter, aiming to arm organizations with timely, sector-specific intelligence.
“Over the past three months, CYFIRMA’s telemetry has identified 2,789 mentions of the healthcare industry out of a total of 57,633 industry mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums,” CYFIRMA researchers wrote in a Monday research post. Over the same period, “the healthcare industry has not been significantly impacted by advanced persistent threat (APT) campaigns. The healthcare industry is not currently a frequent target of APT (Advanced Persistent Threat) actors due to its comparatively low strategic value in the context of state-sponsored cyber operations.”
Also, unlike sectors such as defense, energy, or finance, which hold sensitive geopolitical, economic, or technological data, healthcare organizations typically manage data with limited intelligence or national security utility. “Another factor is operational risk: targeting healthcare systems, particularly hospitals, can carry reputational or diplomatic consequences, especially if lives are endangered. While financially motivated actors like ransomware groups continue to exploit healthcare for extortion, nation-state APTs tend to avoid such targets unless specific biotechnological research, pandemic data, or government-affiliated medical institutions are involved. As a result, healthcare remains a peripheral focus for most APT campaigns.”
Monthly activity fluctuated across the last 180 days with elevation during March and February. CYFIRMA’s monthly breakdown of ransomware activity highlights which gangs were consistently active and which appeared sporadically. Qilin and Incransom maintained steady operations across all three months, while groups like Everest surfaced only briefly, recording victims in a single month. Of the 76 ransomware groups tracked, 38 targeted the healthcare sector in the past 90 days, marking a 50 percent participation rate. Qilin topped the list with 24 confirmed victims.
What stands out is the disproportionate share of each gang’s total victims that came from the healthcare sector. Several groups demonstrated a strong focus on healthcare, suggesting it may be a primary target rather than a secondary one.
Among the top five gangs, Qilin had 12.2 percent of its attacks directed at healthcare, Incransom recorded 25.4 percent, and Killsec followed with 20 percent. Everest and Bianlian showed even sharper targeting, with 57.1 percent and 60 percent of their known victims, respectively, in healthcare. Of the top 20 most active gangs, 12 recorded double-digit shares of their total victims within the healthcare sector.
Earlier this month, the First Quarter 2025 Health-ISAC Heartbeat revealed a continued pattern of cybersecurity incidents and data breaches affecting healthcare organizations over the past year. Although ransomware activity briefly declined in the third quarter of 2024, it rebounded in the fourth quarter and continued to rise into early 2025. Vulnerabilities in VPN providers and the ongoing exposure of compromised credentials remained persistent risk factors throughout the reporting period.
CYFIRMA identified that the APT campaigns threat remains low, as the healthcare industry remains a peripheral target for APT hackers. None of the past 90-day APT campaigns explicitly targeted this sector. This trend reflects the sector’s low geopolitical and strategic intelligence value, especially when compared to finance or defense. Additionally, targeting hospitals and critical healthcare systems carries reputational and diplomatic risks, which discourages state-sponsored operations unless tied to specific research or pandemic surveillance.
When it comes to underground and dark web chatter, CYFIRMA recognizes moderate threat level, as healthcare accounted for 4.84 percent of all dark web and underground chatter over the past 90 days, ranking 8th. Data breach mentions declined by 17 percent, while data leak chatter stabilized. Ransomware mentions remained consistently high, showing its ongoing threat. Hacktivism collapsed by 82 percent and claimed hacks also fell. DDoS activity was volatile but trended downward. Web exploit mentions declined by 73 percent, suggesting improved defensive posture or shifts in attacker priorities.
Likewise, it assessed a moderate threat level for vulnerabilities. Healthcare ranked 6th in detected CVEs, making up 6.39 percent of industry-linked vulnerabilities. Injection attacks surged in March, likely targeting electronic health record (EHR) systems or patient portals. Remote Code Execution (RCE) remains a high-risk vector despite a slight decline. Cross-site scripting (XSS) dropped sharply, while memory/buffer flaws increased, possibly due to aging infrastructure and medical device software. Denial of Service (DoS) vulnerabilities also grew, aligning with a modest DDoS threat profile.
CYFIRMA assessed the ransomware threat to healthcare as moderate. With 130 incidents in the past 90 days, the sector ranked sixth in ransomware volume, slightly down from 132. Healthcare now accounts for 8.1 percent of all recorded victims.
In April, Cyfirma delved into the external threat landscape of the manufacturing industry over the past three months, providing insights and data-driven statistics covering attack campaigns, phishing telemetry, and ransomware incidents. Observed campaigns are conducted by a diverse range of threat actors, most prominently Chinese nation-state groups and unidentified Vietnamese, Thai, and English-speaking groups, suggesting financial motivations are still prevalent in the manufacturing industry.
