惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches
Rebecca Mood · 2026-04-27 · via Comparitech

Q1 ransomware roundup_ healthcare

During the first quarter of 2026, we recorded 120 ransomware attacks on hospitals, clinics, and other healthcare providers. We also noted 81 attacks on businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies.

Attacks on healthcare providers dipped by 15 percent compared to last quarter, while attacks on healthcare businesses rose for the third quarter in a row, jumping by 35 percent.

Despite the dip in attacks on healthcare providers, the above chart demonstrates how attacks within this sector remain consistently high. Attacks on all types of healthcare companies remain lucrative for hackers.

Ransomware attacks can cause mass disruption. An attack on the University of Mississippi Medical Center crippled computer systems and shut down clinics on February 19, 2026. It wasn’t until the following month that systems were restored and clinics were reopened.

Healthcare providers also store vast amounts of data that’s often highly sensitive. While many breaches are yet to be reported, Nippon Medical School Musashi Kosugi Hospital in Japan already confirmed that 131,700 people were impacted in its February 2026 attack (claimed by NetRunner). Puerto Rico’s Hospital ⁠Caribbean Medical Center is notifying 92,000 about its February 2026 attack (claimed by The Gentlemen), which has been confirmed to involve healthcare data.

The same is also true when healthcare businesses are targeted by ransomware groups. Medical device manufacturer UFP Technologies warned of billing and shipment delays after it was hit by an attack in February 2026 (claimed by Payouts King). And Healthdaq, a healthcare recruitment company in Ireland, is warning of a data breach following unauthorized access to its platform in March 2026 (claimed by XP95).

*Please note: this report was written after our Q1 2026 report, so figures may have changed slightly as more attacks have been confirmed.

Key findings for Q1 2026 ransomware attacks on the healthcare sector

Healthcare providers

  • 120 attacks in total
  • 26 confirmed attacks
  • 94 unconfirmed attacks
  • 237,747 records are known to have been breached in the confirmed attacks
  • Median ransom demand of $300,000
  • The most prolific ransomware strains with the highest number of claims against healthcare companies were Qilin (23), The Gentlemen (10), Insomnia and LockBit (9 each), and Sinobi (7)
  • Qilin had the most confirmed attacks (4), followed by The Gentlemen and Lockbit (3 each), and Sinobi and NetRunner (2 each)
  • 13 TB of data allegedly stolen

Healthcare businesses

  • 81 attacks in total
  • 5 confirmed attacks
  • 76 unconfirmed attacks
  • Number of records breached – N/A
  • Average ransom – N/A
  • The most prolific ransomware strains with the highest number of claims against healthcare companies were INC and NightSpire (8), Genesis (6), and Akira, Clop, LockBit, and The Gentlemen (5 each)
  • INC, DragonForce, Payouts King, and XP95 each had a confirmed attack
  • 29 TB of data allegedly stolen

Ransomware attacks on healthcare providers

During Q1 2026, a total of 120 attacks were recorded on global healthcare providers. 26 of these attacks were confirmed.

Eight of these confirmed attacks happened in the US. As well as UMMC (noted above), the following confirmed attacks:

  • Mt. Spokane Pediatrics – January 2026 – LockBit
  • Pecan Tree Dental – January 2026 – Sinobi – 13,300 people confirmed to have been affected
  • Rocky Mountain Care – January 2026 – Qilin
  • Elmwood Healthcare – January 2026 – LockBit
  • Lymphedema Therapy Specialists, Inc. – February 2026 – INC – 378 people in Texas confirmed to have been affected
  • Aroostook Mental Health Services, Inc. – March 2026 – Qilin – no ransom paid
  • Bayside Dental – January 2026 – Sinobi

Three attacks were also confirmed in Germany. Two were claimed by Qilin (RENAFAN GmbH and Suchthilfe direkt Essen gGmbH), and an attack on Leinerstift e.V., which hasn’t been claimed by a group at the time of writing.

Qilin was behind the most confirmed attacks on healthcare providers with these four attacks across the US and Germany.

LockBit and The Gentlemen both had three confirmed attacks each. LockBit’s included Consorzio Selenia soc. coop. in Italy as well as the two US companies noted above. Meanwhile, The Gentlemen’s targets were Unimed Anápolis in Brazil, IntraCare in New Zealand, and the Hospital ⁠Caribbean Medical Center in Puerto Rico.

The Gentlemen Hospital ⁠Caribbean Medical Center
The Gentlemen claims attack on the Hospital ⁠Caribbean Medical Center

Ransomware attacks on healthcare businesses

From January to March 2026, Comparitech researchers logged 81 attacks on healthcare businesses. Five of these attacks were confirmed.

Two attacks were confirmed in both the US and India. In the US, a veterinary practice (Metro Pet Vet) was targeted by unknown hackers in January 2026, while UFP Technologies was hit in February by Payouts King (see above).

In India, Glenmark Pharmaceuticals suffered an attack in February 2026 by INC with 1.8 TB of data stolen, and Kopran Ltd was also targeted in February 2026 but by DragonForce with nearly 284 GB of data stolen.

Healthdaq, Ireland (see above) was the other confirmed attack.

Glenmark Pharma claimed by ransomware group INC

Ransomware attacks on the healthcare sector by country

Across all of the 201 attacks we noted on healthcare providers and businesses throughout Q1 2026, 59 percent (119) were on entities within the US. India (10), Germany (7), and Australia (6) followed.

These are the top four if we look at healthcare providers only, but Canada and Taiwan replace Australia when it comes to healthcare businesses.

The US saw the most confirmed attacks (10), followed by Germany and Japan (3 each). India, Australia, and Turkey all had two confirmed attacks each.

Please note: data breach reporting requirements vary by country, which may skew confirmed attack figures. Countries with mandatory reporting are likely to see more confirmed attacks than those without.

Which ransomware gangs are targeting healthcare providers and/or businesses?

Qilin was the most dominant strain in attacks against healthcare providers with 23 attacks in total. The Gentlemen followed with 10 attacks.

In contrast, INC and NightSpire were the most prolific strains in attacks against healthcare businesses with eight attacks each. Despite Qilin claiming the most attacks across all sectors, only three attacks were registered via this group on healthcare businesses throughout all of Q1 2026. This would appear to suggest that healthcare businesses aren’t a prime target for Qilin.

Hackers alleged to have stolen more than twice the amount of data from healthcare businesses (29 TB) than healthcare providers (13 TB), despite healthcare providers accounting for more attacks in total (120 compared to 81).

Across the 120 attacks on healthcare providers, just over 13 TB of data was stolen. Beast claims to have stolen the most: 2 TB in total (across just three attacks).

Ransomware groups claim they stole more than 29 TB of data across the 81 attacks on healthcare businesses. Metaencryptor said it stole 14 TB in its attack on a German pharmaceutical manufacturer, but this remains unconfirmed.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.