






















During the first quarter of 2026, we recorded 120 ransomware attacks on hospitals, clinics, and other healthcare providers. We also noted 81 attacks on businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies.
Attacks on healthcare providers dipped by 15 percent compared to last quarter, while attacks on healthcare businesses rose for the third quarter in a row, jumping by 35 percent.
Despite the dip in attacks on healthcare providers, the above chart demonstrates how attacks within this sector remain consistently high. Attacks on all types of healthcare companies remain lucrative for hackers.
Ransomware attacks can cause mass disruption. An attack on the University of Mississippi Medical Center crippled computer systems and shut down clinics on February 19, 2026. It wasn’t until the following month that systems were restored and clinics were reopened.
Healthcare providers also store vast amounts of data that’s often highly sensitive. While many breaches are yet to be reported, Nippon Medical School Musashi Kosugi Hospital in Japan already confirmed that 131,700 people were impacted in its February 2026 attack (claimed by NetRunner). Puerto Rico’s Hospital Caribbean Medical Center is notifying 92,000 about its February 2026 attack (claimed by The Gentlemen), which has been confirmed to involve healthcare data.
The same is also true when healthcare businesses are targeted by ransomware groups. Medical device manufacturer UFP Technologies warned of billing and shipment delays after it was hit by an attack in February 2026 (claimed by Payouts King). And Healthdaq, a healthcare recruitment company in Ireland, is warning of a data breach following unauthorized access to its platform in March 2026 (claimed by XP95).
*Please note: this report was written after our Q1 2026 report, so figures may have changed slightly as more attacks have been confirmed.
During Q1 2026, a total of 120 attacks were recorded on global healthcare providers. 26 of these attacks were confirmed.
Eight of these confirmed attacks happened in the US. As well as UMMC (noted above), the following confirmed attacks:
Three attacks were also confirmed in Germany. Two were claimed by Qilin (RENAFAN GmbH and Suchthilfe direkt Essen gGmbH), and an attack on Leinerstift e.V., which hasn’t been claimed by a group at the time of writing.
Qilin was behind the most confirmed attacks on healthcare providers with these four attacks across the US and Germany.
LockBit and The Gentlemen both had three confirmed attacks each. LockBit’s included Consorzio Selenia soc. coop. in Italy as well as the two US companies noted above. Meanwhile, The Gentlemen’s targets were Unimed Anápolis in Brazil, IntraCare in New Zealand, and the Hospital Caribbean Medical Center in Puerto Rico.
From January to March 2026, Comparitech researchers logged 81 attacks on healthcare businesses. Five of these attacks were confirmed.
Two attacks were confirmed in both the US and India. In the US, a veterinary practice (Metro Pet Vet) was targeted by unknown hackers in January 2026, while UFP Technologies was hit in February by Payouts King (see above).
In India, Glenmark Pharmaceuticals suffered an attack in February 2026 by INC with 1.8 TB of data stolen, and Kopran Ltd was also targeted in February 2026 but by DragonForce with nearly 284 GB of data stolen.
Healthdaq, Ireland (see above) was the other confirmed attack.
Across all of the 201 attacks we noted on healthcare providers and businesses throughout Q1 2026, 59 percent (119) were on entities within the US. India (10), Germany (7), and Australia (6) followed.
These are the top four if we look at healthcare providers only, but Canada and Taiwan replace Australia when it comes to healthcare businesses.
The US saw the most confirmed attacks (10), followed by Germany and Japan (3 each). India, Australia, and Turkey all had two confirmed attacks each.
Please note: data breach reporting requirements vary by country, which may skew confirmed attack figures. Countries with mandatory reporting are likely to see more confirmed attacks than those without.
Qilin was the most dominant strain in attacks against healthcare providers with 23 attacks in total. The Gentlemen followed with 10 attacks.
In contrast, INC and NightSpire were the most prolific strains in attacks against healthcare businesses with eight attacks each. Despite Qilin claiming the most attacks across all sectors, only three attacks were registered via this group on healthcare businesses throughout all of Q1 2026. This would appear to suggest that healthcare businesses aren’t a prime target for Qilin.
Hackers alleged to have stolen more than twice the amount of data from healthcare businesses (29 TB) than healthcare providers (13 TB), despite healthcare providers accounting for more attacks in total (120 compared to 81).
Across the 120 attacks on healthcare providers, just over 13 TB of data was stolen. Beast claims to have stolen the most: 2 TB in total (across just three attacks).
Ransomware groups claim they stole more than 29 TB of data across the 81 attacks on healthcare businesses. Metaencryptor said it stole 14 TB in its attack on a German pharmaceutical manufacturer, but this remains unconfirmed.
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。