Healthcare organizations recorded 120 ransomware attacks in the first quarter of this year, marking a 14% decline compared with the fourth quarter of last year, according to data published by Comparitech. Of those incidents, 22 were confirmed attacks and 98 remained unconfirmed, underscoring the gap between public disclosures and claimed breaches by ransomware groups. The figures suggest a modest easing in activity at the headline level, even as healthcare continues to remain a consistent target for cybercriminal operations across both direct care providers and related entities.
Despite the quarterly decline in volume, financial pressure from ransomware escalated sharply. The average ransom demand across healthcare incidents surged to $16.9 million in the first quarter of this year, up from $577,800 in the previous quarter, highlighting a widening gap between attack frequency and extortion intensity. The largest recorded demand reached $100 million, attributed to the NetRunner group in an attack targeting Nippon Medical School Musashi Kosugi Hospital in Japan, although the payment was not made. The same incident also stood out for its impact, with the hospital recording the largest breach of the quarter, affecting 131,700 individuals.
Rebecca Moody, Comparitech’s head of data research, highlighted how this sector remains one of the most dominant targets for hackers. “For the last two quarters, attacks have been consistently high with hackers focusing on healthcare providers and businesses operating within the healthcare industry. This means healthcare providers not only have to safeguard their own systems from attacks but also need to ensure the third parties they’re using are reaching the same standards.”
As the most dominant strain for many months now, Qilin’s attack figures far exceed those of other groups, Moody mentioned. “But this isn’t the case when it comes to healthcare businesses. It claimed just three attacks in three months here, despite claiming 550 victims in total across Q1 of 2026. In contrast, it claimed 23 attacks on healthcare companies. LockBit and The Gentlemen are other key threats to healthcare providers, while INC appears to focus more on healthcare businesses (claiming eight attacks here compared to five on healthcare providers).”
She added that the focus on certain sectors by certain groups could be due to the success of certain campaigns within a particular industry, or an attempt to infiltrate a sector that isn’t as saturated/high profile when it comes to ransomware.” For example, over the last year or so, we have noted a shift toward healthcare businesses. This could be due to how heavily targeted healthcare providers were in previous years. So, while some groups are still ‘enjoying’ success in this sector, others have found a lucrative opening within companies that still deal with critical healthcare systems/services and/or store key healthcare data but don’t necessarily deal directly with patients.”
During this quarter, healthcare providers experienced a total of 120 ransomware attacks, comprising 26 confirmed incidents and 94 unconfirmed claims. Across the confirmed attacks, approximately 237,747 records are known to have been breached, highlighting the continued exposure of sensitive patient and operational data within the sector.
The median ransom demand stood at $300,000, reflecting ongoing extortion pressure despite variations in attack confirmation. The most active ransomware strains targeting healthcare organizations included Qilin with 23 claims, The Gentlemen with 10, Insomnia and LockBit with nine each, and Sinobi with seven. In terms of confirmed incidents, Qilin led with four attacks, followed by The Gentlemen and LockBit with three each, while Sinobi and NetRunner accounted for two confirmed cases apiece. Overall, attackers also allegedly exfiltrated around 13 TB of data, underscoring scale of data theft associated with these campaigns.
Healthcare businesses during the quarter were targeted in a total of 81 ransomware attacks, including five confirmed incidents and 76 unconfirmed claims. No reliable figures were available for the number of records breached or the average ransom demands associated with these attacks.
The most frequently reported ransomware strains impacting healthcare businesses included INC and NightSpire, each with eight claims, followed by Genesis with six claims. Akira, Clop, LockBit, and The Gentlemen were also active, with five claims each. In terms of confirmed activity, INC, DragonForce, Payouts King, and XP95 each recorded at least one confirmed attack. Overall, threat actors allegedly exfiltrated around 29 TB of data, underscoring scale of data theft tied to these incidents.
During the quarter, a total of 120 ransomware attacks were recorded against global healthcare providers, of which 26 were confirmed incidents. These confirmed cases highlight continued targeting of hospitals, clinics, and specialist care providers across multiple regions, with a concentration of activity in the U.S. and Europe.
Eight of the confirmed attacks occurred in the U.S. and included several healthcare organizations impacted by different ransomware groups. Mt. Spokane Pediatrics was attacked in January 2026 by LockBit, while Pecan Tree Dental was compromised in the same month by Sinobi, affecting 13,300 people. Rocky Mountain Care was hit by Qilin in January 2026, and Elmwood Healthcare also fell victim to LockBit. In February 2026, Lymphedema Therapy Specialists, Inc. was attacked by INC, with 378 individuals in Texas confirmed to have been affected. In March 2026, Aroostook Mental Health Services, Inc. was targeted by Qilin in an incident where no ransom was paid. Bayside Dental was also attacked by Sinobi in January 2026.
In addition to the US incidents, three attacks were confirmed in Germany. Two of these were attributed to Qilin and involved RENAFAN GmbH and Suchthilfe direkt Essen gGmbH, while a third attack on Leinerstift e.V. had not been claimed by any ransomware group at the time of reporting. Overall, Qilin was responsible for the highest number of confirmed attacks on healthcare providers, with four incidents spanning both the US and Germany.
LockBit and The Gentlemen each accounted for three confirmed attacks. LockBit’s incidents included Consorzio Selenia soc. coop. in Italy, as well as the two US organizations mentioned earlier. The Gentlemen targeted Unimed Anápolis in Brazil, IntraCare in New Zealand, and the Hospital Caribbean Medical Center in Puerto Rico, reflecting the global reach of its operations during the quarter.
From January to March 2026, Comparitech researchers logged a total of 81 ransomware attacks against healthcare businesses, of which five were confirmed incidents.
Two confirmed attacks occurred in both the U.S. and India. In the U.S., Metro Pet Vet, a veterinary practice, was targeted by unknown hackers in January 2026, while UFP Technologies was hit in February 2026 by the Payouts King ransomware group. In India, Glenmark Pharmaceuticals suffered a confirmed attack in February 2026 attributed to INC, with approximately 1.8 TB of data stolen. Kopran Ltd was also targeted in February 2026 by DragonForce, which resulted in nearly 284 GB of data being exfiltrated.
The remaining confirmed incident involved Healthdaq in Ireland, which was also impacted during the same period, rounding out the five confirmed healthcare business attacks recorded in the quarter.
Qilin emerged as the most dominant ransomware strain targeting healthcare providers in the first quarter of 2026, accounting for 23 attacks in total. The Gentlemen followed with 10 attacks, making it the second most active group in this segment.
By contrast, INC and NightSpire were the most prolific ransomware strains targeting healthcare businesses, with eight attacks each. Although Qilin led overall activity across healthcare-related sectors, it was responsible for only three attacks against healthcare businesses during the quarter. This suggests that while Qilin remains highly active in the broader healthcare threat landscape, its focus appears to be weighted more heavily toward healthcare providers rather than commercial healthcare businesses.
Overall, ransomware groups claimed to have stolen more than twice as much data from healthcare businesses, totaling 29 TB, compared with 13 TB from healthcare providers, despite providers experiencing a higher volume of attacks at 120 incidents versus 81.
Across the provider segment alone, just over 13 TB of data was confirmed or claimed stolen, with Beast accounting for the largest single share at 2 TB across three attacks.
Among healthcare businesses, ransomware groups collectively claimed over 29 TB of stolen data across 81 attacks. Metaencryptor alone claimed responsibility for 14 TB in a single attack on a German pharmaceutical manufacturer, although this figure remains unverified.
