A continuous trend of cybersecurity incidents and data breaches impacting health sector organizations over the past year has been disclosed in the First Quarter 2025 Health-ISAC Heartbeat. While ransomware events saw a slight decrease in the third quarter of 2024, ransomware events continued to trend upward for the fourth quarter and into the first quarter of this year. VPN provider vulnerabilities and compromised credentials remained a consistent theme that caused risk for organizations.
Health-ISAC provided 220 Targeted Alerts to specific Health-ISAC member organizations with potentially vulnerable infrastructure to help teams mitigate actively exploited vulnerabilities.
In the first quarter of 2025, the health sector reported 158 ransomware attacks, marking a slight increase from 154 in the fourth quarter of 2024, underscoring the persistent and growing threat landscape highlighted in the latest Health-ISAC Heartbeat. This continues the upward trend observed since the third quarter of 2024, which had recorded 109 incidents, following a temporary dip from 119 attacks in the second quarter. These 158 incidents in the first quarter accounted for approximately 6.5 percent of the 2,429 total ransomware attacks reported across all sectors during the same period.
Since 2021, Health-ISAC has tracked a total of 23,606 breaches across sectors, with the health sector alone accounting for 1,370 of those breaches, representing 5.8 percent of the overall total. The vast majority of ransomware incidents in Q1 2025 targeted entities in the Americas, which accounted for 80.6 percent of impacted organizations, followed by the EMEA region at 11.5 percent, and APAC at 7.9 percent. These figures reflect the persistent and evolving cyber threat landscape confronting the global health sector.
The First Quarter 2025 Health-ISAC Heartbeat provides observations of ransomware, cybercrime trends, and malicious actor forum postings that could potentially impact health sector organizations.
The Health-ISAC’s Targeted Alerts warn organizations of high risks specific to their network, including things like vulnerable servers, cybercriminals selling access to their networks, stolen intellectual property, and compromised credentials. In 2024, Health-ISAC sent 748 Targeted Alerts to member organizations. The most common themes included open and exposed databases, remote access tools, potentially vulnerable BeyondTrust instances, and a critical authorization bypass vulnerability announced for Next[dot]js middleware.
The Health-ISAC Heartbeat identified that on March 28, this year, Health-ISAC, in cooperation with intelligence partners, was notified of several potentially vulnerable BeyondTrust instances within many member organizations’ environments. The potentially vulnerable versions of BeyondTrust Privileged Remote Access (PRA) or Remote Support (RS) were detected within many member environment footprints, potentially leaving the company’s network vulnerable to attack/exploitation by malicious actors.
Health-ISAC delivered 62 Targeted Alerts about potentially vulnerable BeyondTrust instances during the first quarter of 2025. These alerts triggered investigations by member organization teams to determine the version and patch any vulnerable systems. Health-ISAC published a Threat Bulletin with additional information about this actively exploited vulnerability.
Around the same time, the Health-ISAC, in cooperation with intelligence partners at BlueVoyant, was notified of several potentially vulnerable Next[dot]js interfaces within Health-ISAC member organizations’ environments. Health-ISAC lacks visibility into the specific version of Next.js running within member environments. Teams that received alerts must investigate the current version to determine whether patching is required or has already occurred.
Posing a significant potential risk to the health sector, the Health-ISAC Heartbeat reported that the vulnerability affects Next.js versions 11.1.4 through 13.5.6, all 14.x versions before 14.2.25, and all 15.x versions before 15.2.3. Health-ISAC delivered 33 Targeted Alerts for potentially vulnerable Next.js middleware instances. These alerts were delivered because the health sector relies on web applications for patient portals, administrative dashboards, and other critical services.
The report also identified that threat actors frequently advertise stolen data or access to organizations’ systems for sale on various underground forums. “In some cases, these posts reveal the names of organizations allegedly breached. At the same time, in other instances, the threat actors conceal the victims’ identities and provide details such as the company’s revenue or sector to indicate the value of the data being auctioned. Payment is typically demanded in a selected cryptocurrency, and sometimes, these transactions are facilitated by middlemen like forum administrators.”
Often, threat actors share a sample of the stolen data to demonstrate its legitimacy; however, there are rarely any details regarding the origin of the data.
In the first quarter of this year, the Health-ISAC Heartbeat said that there were multiple cases where threat actors tried to sell alleged stolen data, which could have potentially impacted the health sector industry.
In March, a threat actor under the MIYAK000 handle posted an offer on BreachForums to sell compromised VPN access to an undisclosed U.S.-based Surgery Center. The actor revealed to a private, sensitive source that the alleged impacted victim organization was Bradenton Surgery Center at the bradentonsuregerycenter[dot]com website.
Subsequently, the actor using the MIYAK000 handle posted an offer on BreachForums to sell compromised network access to an undisclosed U.S.-based Medical Revenue Cycle Management organization. The actor revealed to a private sensitive source that the alleged impacted victim organization was Health Services Integration at the hsihealth[dot]com website.
The Health-ISAC Heartbeat identified INC Ransomware, also known as GOLD IONIC, as a sophisticated ransomware-as-a-service operation active since at least July 2023. The group is particularly notorious for targeting high-value industries, with a significant focus on the health sector. Their operations are characterized by precision targeting, leveraging advanced tactics, techniques, and procedures (TTPs) to maximize impact and extort substantial ransoms.
Health sector organizations are prime targets for INC Ransomware due to the critical nature of their operations and the high value of medical data. The group exploits the sector’s reliance on legacy systems, limited cybersecurity budgets, and the critical need for operational continuity.
The key impacts of INC Ransomware attacks on the health sector include significant operational disruption, as the encryption of critical systems results in downtime that delays patient care and medical procedures. These attacks also lead to data breaches involving the theft of sensitive patient information, such as medical records, which are highly sought after on the cybercriminal market. Additionally, affected organizations face substantial financial losses due to ransom payments, legal expenses, regulatory fines, and long-term reputational damage.
The Health-ISAC Heartbeat offered several recommendations to strengthen cybersecurity across the healthcare sector. Organizations are urged to patch all vulnerable devices promptly and maintain up-to-date data backups. Raising employee awareness through continuous security training is essential. Network segmentation should be implemented, along with strict internet access and network controls.
These organizations must also deploy endpoint protection tools and enforce phishing-resistant multi-factor authentication. Regular security audits, backup testing, and verification should be conducted to ensure resilience. Continuous monitoring for suspicious activity is critical, and organizations should develop detailed incident response plans to maintain business continuity in the event of a cyberattack.
Last month, researchers from Forescout Technologies highlighted a troubling surge in the frequency and impact of data breaches, with organizations of all sizes and across every industry under growing threat. Ransomware dominates as the leading cause, trailed by third-party compromises and phishing attacks. Healthcare organizations were hit especially hard, as nearly half of all breaches affecting more than 5,000 individuals in 2024 targeted the healthcare sector. The report identifies healthcare, financial services, and professional services as the three most heavily affected industries.
