Ransomware attacks targeting the healthcare industry have grown at a far slower rate than most other sectors in the first half of 2025, according to a new analysis by Comparitech.
This comes as other sectors like retail are increasingly being viewed as an easier/more lucrative target, resulting in some threat actors shifting focus, according to Rebecca Moody, head of data research at Comparitech.
The consumer awareness firm tracked 211 ransomware attacks on healthcare organizations in H1 2025, which is a 4% year-on-year increase when compared to H1 2024.
This compares to an average 50% rise in ransomware attacks across all industries over the same period.
Particularly heavily targeted sectors included technology (85%), retail (85%), legal (71%), transportation (66%), manufacturing (64%) and government (60%). The only industry to see a decline was utilities (-31%).
Read now: Retail Ransomware Attacks Jump 58% Globally in Q2 2025
Why Healthcare May be Seeing a Lower Rate of Attacks
Moody told Infosecurity that as well as greater attacker interest in the retail sector there are a range of other factors for healthcare seeing a lower influx of attacks.
She noted that high-profile attacks impacting healthcare services in 2024, such as the incidents impacting US healthcare payments provider Change Healthcare and UK NHS pathology supplier Synnovis, may have resulted in better cyber awareness and improved security systems across the sector.
Moody also noted that there has been a trend of attackers focusing on businesses that operate in the healthcare sector but don’t provide direct care, such as medical device manufacturers and pharmaceutical companies. This enables them to attack a large number of healthcare providers via a single attack.
“As these companies often deal with a large number of healthcare providers, they have access to huge databases of data. So, by focusing on companies like this, hackers can target multiple organizations and their data in one go. We saw this recently with Episource, in which over 5.4 million people had their data breached following a ransomware attack in January 2025.”
However, Moody cautioned that healthcare remains a key target for attackers, with numerous damaging incidents recorded so far in 2025.
“As this report has found, some hackers are still focusing on (and having a lot of success with) hospitals and other direct-care providers, e.g., INC and Medusa. In these cases, attacks on healthcare are likely to continue at the same rate,” she noted.
Healthcare Faces Lower Than Average Ransom Demands
The report, published on July 17, found that the average ransom demand faced by healthcare firms was $479,000 in H1, across all attacks.
The average across confirmed attacks was higher at $608,000.
This compares to an average ransom demand of over $1.6m across all other industries.
There were not any confirmed ransom payments during this reporting period, but 10 entities confirmed they had not met hackers’ demands.
The biggest healthcare ransom demand tracked by Comparitech in H1 was issued by the Medusa gang to UK independent care group HCRG Care Group in February at $2m.
This was followed by a ransomware attack by the group Crazy Hunter on MacKay Memorial Hospital in Taiwan, resulting in a $1.5m demand being issued.
Comparitech acknowledged that only a few ransomware gangs release their ransom demands with the data, so many are unknown until further down the line, if this information is released at all.
Of the 24 known figures for H1 2025, 13 are from Medusa.
“We don't yet have figures for some of the biggest attacks to date (e.g., DaVita, Frederick Health and Kettering Health). If and when these come through, I'd expect the average to increase,” Moody said.
2.3 Million Healthcare Records Known to be Breached
Of the 211 healthcare ransomware attacks tracked from January-June 2025, 68 have been publicly confirmed by victims.
Comparitech found that more than 2.3 million records from healthcare organizations were breached in the confirmed attacks.
The biggest ransomware-related breach in the period affected Frederic Health in January 2025, resulting in just under one million patient records being breached.
The ransomware actor which claimed the highest number of attacks on healthcare in H1 was INC Ransom, at 34 claims, 10 of which have been confirmed by the victims. This made up 26% of its total claims for the period.
The next most prominent actor targeting healthcare was Qilin, with 25 claimed attacks, 10 of which have been confirmed. These actors were followed by SafePay (14 claimed attacks), RansomHub (13 claimed attacks) and Medusa (13 claimed attacks).
Qilin accounted for the most confirmed breached records, at over 555,000, followed by SafePay with 260,000 records.
Around two-thirds (66%) of all tracked healthcare ransomware attacks targeted US-based companies, at 139.
Australia was the second most impacted country, with 10 incidents, followed by the UK with seven.