Healthcare Cyberattacks: Why Hospitals Are the Top Target and How to Fight Back

Last updated: May 2026

Healthcare is the most expensive industry to breach, the most targeted by ransomware, and one of the least funded for cybersecurity relative to the data it protects. The 2025 Verizon Data Breach Investigations Report recorded 1,710 security incidents in healthcare, with 1,542 confirmed data disclosures. In the first nine months of 2025 alone, Comparitech tracked 293 ransomware attacks on hospitals, clinics, and direct care providers, plus an additional 130 attacks on healthcare businesses like pharmaceutical manufacturers and billing companies. The average cost of a healthcare data breach reached $9.8 million in 2024, and ScienceSoft projects it will surpass $12 million by the end of 2026. This guide covers why healthcare cyberattacks are increasing, what makes hospitals and health systems uniquely vulnerable, the attacks that have done the most damage in 2024 and 2025, and what organizations can do to reduce their exposure.

On this page:

• Healthcare Cyberattacks by the Numbers
• Why Healthcare Is the Primary Target
• The Biggest Healthcare Cyberattacks of 2024-2025
• Types of Healthcare Cyberattacks
• What Makes Hospitals Uniquely Vulnerable
• The Role of Connected Medical Devices
• How Healthcare Organizations Can Reduce Risk
• Regulatory Pressure Is Increasing
• Building a Defensible Healthcare Security Program

Healthcare Cyberattacks by the Numbers

The data makes the severity of the problem clear:

• 1,710 security incidents in healthcare in 2024, with 1,542 confirmed data disclosures, according to the 2025 Verizon DBIR. Healthcare ranked among the top three most breached industries.
• 293 ransomware attacks on hospitals and direct care providers in the first nine months of 2025. Attacks on healthcare businesses (pharma, billing, health tech) rose 30% year-over-year.
• 192.7 million individuals affected by the Change Healthcare breach alone, the largest healthcare cyberattack in history.
• $9.8 million average cost of a healthcare data breach in 2024 (IBM), growing at twice the rate of other industries. ScienceSoft projects this will exceed $12 million by end of 2026.
• $7.42 million average breach cost per incident reported by HIPAA Journal, with the costliest breaches in any industry.
• $7 million average ransom demand in healthcare attacks. The highest recorded demand against a healthcare provider reached $100 million.
• 33% increase in in-hospital mortality during ransomware incidents, according to a Halcyon/Health-ISAC study.
• 60% of medical devices in active clinical use are end-of-life with no available security patches.
• 80% of organizations that experienced a device-related cyberattack reported moderate or significant disruption to patient care.

These numbers are not stabilizing. HHS Office for Civil Rights data shows healthcare breaches have more than doubled since 2018, and the first months of 2026 are tracking ahead of the same period in 2025.

Related: Most Notable Healthcare Cyberattacks of 2025

Why Healthcare Is the Primary Target

Healthcare cyberattacks keep increasing because the industry presents a combination of characteristics that attackers actively seek: high-value data, low tolerance for downtime, underfunded security, and a massive attack surface of connected devices.

The Data Is Extraordinarily Valuable

Healthcare organizations collect, store, and transmit the most complete picture of an individual’s identity available anywhere: names, Social Security numbers, dates of birth, insurance information, medical histories, prescription records, and financial data. A complete health record sells for significantly more on the dark web than a credit card number or Social Security number alone, because it enables identity theft, medical fraud, insurance fraud, tax fraud, and targeted phishing.

The volume of data is also enormous. Health systems, their business associates, and their vendor networks manage billions of records. The Change Healthcare breach exposed data on 192.7 million people from a single company.

Hospitals Cannot Afford Downtime

Healthcare organizations have among the lowest tolerance for system downtime of any industry. When IT systems go offline, clinical workflows break down: providers lose access to electronic health records, imaging systems, pharmacy systems, and laboratory results. Patients must be diverted to other facilities. Surgeries are postponed. Emergency departments operate on paper.

This pressure to restore operations quickly gives ransomware operators significant negotiating power. Attackers know that hospitals face a choice between paying the ransom and accepting days or weeks of degraded patient care. Research shows that 33% more patients die during ransomware incidents due to care disruptions, making the decision to pay a matter of patient safety, not just financial calculation.

Security Is Underfunded Relative to the Risk

Healthcare organizations allocate approximately 6% of their IT budgets to security, well below the average for financial services or technology companies. This gap persists despite healthcare being the most expensive industry to breach. Small and rural health systems face the worst of this mismatch: they manage the same categories of sensitive data as large health systems but with a fraction of the budget, staff, and tooling.

The SANS 2026 workforce analysis found that 27% of organizations experienced breaches directly attributable to cybersecurity skills gaps. Healthcare is among the industries most affected by this shortage.

The Attack Surface Is Large and Growing

A mid-size hospital may operate 10,000 to 50,000 connected devices across clinical, facilities, and IT functions. Over 7 million IoMT devices are projected to be deployed in smart hospitals by 2026. Each device represents a potential entry point. Most of these devices cannot run endpoint security software, accept patches on a regular cycle, or enforce modern authentication.

Forescout’s 2026 research identified medication dispensing systems, medical image printers, DICOM gateways, MRI scanners, and healthcare workstations as the riskiest IoMT devices. These devices run legacy operating systems, require constant connectivity, and are difficult to patch without disrupting clinical workflows. They are tightly integrated with electronic health records and billing systems, creating a wide attack surface that spans both clinical and administrative functions.

Third-Party and Supply Chain Exposure

Over 80% of stolen protected health information in 2024-2025 was not taken directly from hospitals. It was stolen from third-party vendors, software services, business associates, and non-hospital providers. The Change Healthcare attack disrupted roughly one-third of all U.S. health insurance transactions because the company processed payments for a massive portion of the healthcare system. The Ascension Healthcare attack in May 2024 and the London hospital cyberattacks in June 2024 both demonstrated how a single point of compromise can cascade across clinical operations.

Healthcare organizations depend on an extensive network of vendors for everything from electronic health records to medical device management to revenue cycle processing. Each vendor connection is a potential attack path.

Related: 3 Key Security Lessons from Recent Healthcare Cyber Attacks

Related: How Extreme Weather Events Increase the Risk of Cyber Attacks on Health Systems

The Biggest Healthcare Cyberattacks of 2024-2025

Change Healthcare (February 2024)

The ALPHV/BlackCat ransomware group breached Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately one-third of all U.S. health insurance transactions. The attack forced the company to disconnect over 100 systems, disrupting pharmacy services, delaying reimbursements, and creating a nationwide financial crisis for healthcare providers. The breach ultimately affected 192.7 million individuals. UnitedHealth Group CEO Andrew Witty confirmed that the initial intrusion occurred because multi-factor authentication had not been implemented on a critical remote access system.

Ascension Healthcare (May 2024)

One of the largest nonprofit hospital systems in the United States confirmed a ransomware attack that disrupted clinical operations across multiple facilities. The attack forced clinicians to revert to paper-based workflows, diverted emergency patients, and delayed care delivery. The incident highlighted the need for layered defenses, including network segmentation and anomalous behavior monitoring for connected medical devices.

London Hospital Cyberattacks (June 2024)

A cyberattack attributed to Russian threat actors targeted hospitals in London, disrupting pathology services and causing the postponement of surgeries and appointments. The attack demonstrated how compromise of a shared service provider can affect multiple hospitals simultaneously.

Frederick Health (January 2025)

A ransomware attack on Frederick Health in Maryland affected over 934,000 individuals. The attack caused temporary service disruptions, including ambulance diversions. Exposed data included patient names, addresses, Social Security numbers, and clinical information.

PIH Health (2025)

A ransomware attack on PIH Health prevented approximately 3 million patients from accessing healthcare services, making it one of the most disruptive healthcare cyberattacks of the year in terms of direct patient care impact.

Related: Breaking Down the Top Healthcare Cyberattacks of 2024

Types of Healthcare Cyberattacks

Ransomware

Ransomware is the dominant threat to healthcare. Health-ISAC tracked 458 ransomware events in the healthcare sector in 2024. Comparitech recorded 293 attacks on direct care providers in the first nine months of 2025, with attacks on healthcare businesses rising 30%. Modern healthcare ransomware typically involves double extortion: encrypting systems to disrupt operations while simultaneously exfiltrating patient data for additional pressure.

ScienceSoft predicts that by the end of 2026, over 40% of U.S. health systems will have experienced a ransomware attack, and 60% of hospitals will experience disrupted care delivery as a result.

Phishing and Social Engineering

The 2025 Verizon DBIR found that 60% of breaches involve a human element. Healthcare’s high staff turnover, use of temporary workers, and demanding clinical schedules make phishing particularly effective. Exhausted staff working double shifts are more likely to click on a well-crafted phishing link. One compromised credential can provide an attacker with the foothold needed to move laterally through the network.

Third-Party and Supply Chain Attacks

Attackers increasingly target vendors, billing providers, and software services that connect to multiple healthcare organizations. A single compromise can cascade across dozens of hospitals. The MOVEit file transfer vulnerability in 2023 affected healthcare organizations through their third-party vendor relationships.

Medical Device Exploitation

Connected medical devices with known vulnerabilities, default credentials, or outdated firmware provide entry points into clinical networks. An attacker who compromises an infusion pump or imaging system on a flat network can potentially reach the electronic health record system or domain controller.

Related: IoT Medical Device Security: Anomaly Detection and Incident Response Best Practices

What Makes Hospitals Uniquely Vulnerable

Beyond the industry-level factors, individual hospitals face operational realities that compound their vulnerability to healthcare cyberattacks:

Thin operating margins. Hospital operating margins averaged 1.4% to 5.2% in 2023-2024. Cash reserves have declined 27.4% since January 2022. A single cyberattack can push a financially stressed hospital toward closure. According to Becker’s Hospital Review, 646 rural hospitals are currently at risk of closure. A major cyber incident at one of these facilities could eliminate access to critical care for an entire county.

Flat networks. Many hospitals still operate relatively flat network architectures where connected medical devices, clinical workstations, administrative systems, and guest Wi-Fi share network segments. This allows an attacker who compromises any device to move laterally with minimal resistance.

Legacy systems. Forescout found that 35% of devices in healthcare environments run legacy Windows systems, a share that increased after Windows 10 end-of-support. Many clinical applications still depend on outdated operating systems that no longer receive security updates.

Organizational silos. Clinical engineering (HTM) teams manage medical devices. IT manages the network. Security manages threat detection. These teams often use different tools, report to different leadership, and have limited visibility into each other’s domains. Effective healthcare cybersecurity requires collaboration across all three.

Related: How HTM Can Work with Cybersecurity to Defend Healthcare

The Role of Connected Medical Devices

Connected medical devices, also known as the Internet of Medical Things (IoMT), are both a clinical advantage and a cybersecurity liability. A mid-size hospital may have 10,000 to 50,000 connected devices, many of which cannot run security agents, receive patches infrequently, and communicate over clinical protocols that standard IT monitoring tools do not understand.

The RunSafe Security 2026 Medical Device Cybersecurity Index found that 24% of healthcare facilities have experienced a cyberattack on a medical device, with 80% of those reporting moderate or significant patient care disruption. Research across 2.25 million IoMT devices found an average of 6.2 vulnerabilities per device, with 99% of hospitals managing at least one device with a known exploited vulnerability.

Securing these devices requires capabilities that traditional IT security tools do not provide: passive discovery that does not disrupt clinical equipment, protocol analysis that understands HL7, DICOM, and other clinical standards, vulnerability prioritization that accounts for patient safety implications, and segmentation that isolates devices without breaking clinical workflows.

Asimily provides these capabilities across IoMT, IoT, OT, and IT environments. The platform uses passive deep packet inspection to discover and classify connected medical devices without disrupting clinical operations. Vulnerability prioritization combines analysis from Asimily Labs with the MITRE ATT&CK framework for attack path analysis, determining which vulnerabilities are realistically exploitable given each device’s network context. Targeted segmentation groups devices by exploit vector, delivering risk reduction across thousands of devices in days rather than months.

Related: How to Choose the Right IoMT Security Vendor

Related: 10 IoT Healthcare Examples and Their Security Implications

How Healthcare Organizations Can Reduce Risk

1. Inventory every connected device continuously. Automated, passive discovery should run continuously. Include devices managed by clinical engineering, facilities, vendors, and contractors. You cannot secure devices you do not know are on your network.

2. Segment clinical networks. Medical devices should not share network segments with administrative systems, guest networks, or general-purpose IT. Apply targeted segmentation by device function and exploit vector for further risk reduction.

3. Prioritize vulnerabilities by patient safety impact and exploitability. Raw CVSS scores do not account for network context or clinical function. Use contextual risk scoring that factors in network exposure, known exploits, device criticality, and compensating controls.

4. Implement multi-factor authentication on every externally accessible system. The Change Healthcare breach occurred because MFA was not enabled on a critical remote access service. This single control could have prevented the largest healthcare cyberattack in history.

5. Apply compensating controls for unpatchable devices. 60% of medical devices in active use are end-of-life. Segmentation, virtual patching, and configuration hardening reduce risk without requiring firmware changes.

6. Monitor for anomalous device behavior. Baseline normal communication patterns for each device type and alert on deviations. Behavioral monitoring catches threats that signature-based tools miss, including compromised devices being used for lateral movement.

7. Assess third-party and vendor risk actively. Evaluate vendor security practices, require SBOMs for medical devices, and monitor vendor connections for anomalous activity. Over 80% of healthcare PHI theft in 2024-2025 originated from third parties.

8. Evaluate device security during procurement. The most cost-effective time to reduce device risk is before a device enters your environment. Asimily’s ProSecure database provides pre-purchase security profiles for medical devices, allowing procurement and security teams to make informed decisions.

9. Build an incident response plan that includes IoMT. Your IR plan should cover healthcare-specific scenarios: quarantining a compromised device without disrupting patient care, communicating across IT, HTM, and clinical leadership, and managing the regulatory notification requirements.

10. Cross-train HTM and cybersecurity teams. HTM teams understand medical devices and clinical workflows. Cybersecurity teams understand CVEs, MITRE ATT&CK, and network defense. Collaboration between these groups, particularly on inventory, vulnerability management, and incident response, builds a stronger defensive foundation.

Related: Network Segmentation Security Best Practices

Related: CISO’s Security Risk Assessment Guide for Medical Device Procurement

Regulatory Pressure Is Increasing

The regulatory environment for healthcare cybersecurity is tightening from multiple directions:

HIPAA Security Rule 2026 Update. The updated rule tightens requirements for securing electronic protected health information, including more specific expectations for connected device security, access controls, and audit logging.

FDA Section 524B. Requires medical device manufacturers to implement cybersecurity throughout the product lifecycle, including SBOMs and vulnerability management plans. 84% of healthcare organizations now include cybersecurity requirements in vendor RFPs, with 56% having rejected a device due to cybersecurity concerns.

New York 10 NYCRR 405.46. The first state-level hospital cybersecurity mandate, requiring healthcare facilities to implement cybersecurity programs with specific provisions for connected device security.

Texas HHSC Directive (March 2026). Requires Texas healthcare facilities to review their connected medical device security posture, signaling expanding state-level regulatory expectations.

Cyber Insurance Tightening. Insurers are requiring demonstrated cybersecurity programs, including medical device security, as a condition of coverage. Organizations without documented controls face higher premiums, coverage exclusions, or denial.

Related: New York’s Hospital Cybersecurity Regulation (10 NYCRR 405.46)

Related: New Texas HHSC Cybersecurity Directive

Related: Medical Device Security Standards: What HDOs Need to Know

Building a Defensible Healthcare Security Program

Healthcare cyberattacks are not going to decrease in 2026 or beyond. The data, the devices, and the operational constraints that make healthcare attractive to attackers are structural features of the industry. What healthcare organizations can control is how prepared they are.

A defensible healthcare security program starts with three foundations: complete visibility into every connected device on the network, contextual understanding of which vulnerabilities carry real risk to patient care, and network segmentation that limits what an attacker can reach if a device or system is compromised. Compliance, patching, incident response, and vendor risk management all build on these foundations.

Asimily provides the visibility, risk prioritization, and segmentation orchestration that healthcare delivery organizations need to manage their connected device attack surface. From pre-purchase risk assessment through operational monitoring and incident response, the platform addresses the full lifecycle of connected medical devices, the category of assets most directly tied to patient safety.

Talk to an Asimily Healthcare Security Expert

See How Asimily Protects Healthcare Organizations

Asimily is the next-generation cyber asset and exposure management platform for IT, IoT, OT, and IoMT environments. Learn more about our platform.