Ransomware in Healthcare: Spillover Effects on Surrounding Hospitals
Summary
Hide ▲
Show ▼
Ransomware attacks on healthcare organizations continue to cause significant disruption beyond targeted institutions, affecting surrounding hospitals and entities through diverted ambulances, increased patient volume, and delayed treatments. These spillover effects are particularly severe in rural communities, where delayed care can lead to long-term health effects and fatal outcomes. The healthcare sector faces persistent ransomware threats, with Health-ISAC tracking nearly 6,000 events in critical infrastructure organizations in 2024, including 446 in healthcare, followed by 4,159 cases across all sectors in the first half of 2025. Recent data reveals that medical devices are increasingly targeted, with one-quarter of healthcare organizations reporting cyber-attacks impacting these devices in the past year. These attacks have moderate to severe impacts on patient care, ranging from delayed imaging to interruptions in critical care delivery. Legacy device vulnerabilities, recent high-profile incidents involving Medtronic and Stryker, and the rise of AI-enabled medical systems introduce additional cybersecurity challenges, underscoring the need for robust security measures and improved procurement practices.
Timeline
-
27.08.2025 00:00 2 articles · 8mo ago
Health-ISAC reports nearly 6,000 ransomware events in 2024, with 446 in healthcare
Health-ISAC tracked nearly 6,000 ransomware events across critical infrastructure organizations in 2024. Of these, 446 were specifically in healthcare. In the first half of 2025, 4,159 cases were recorded across all sectors, indicating a persistent and growing threat. The report emphasizes the need for robust cybersecurity measures, including multifactor authentication (MFA) and basic cyber hygiene, to mitigate these risks. The healthcare sector faces unique challenges due to the presence of legacy systems, resource constraints, and the critical nature of patient care operations. Ransomware attacks can block access to essential systems, preventing patients from receiving vital care. The spillover effects of such attacks can lead to overcapacity at surrounding hospitals, delayed treatments, and increased strain on healthcare resources. New findings reveal that medical devices are increasingly targeted, with one-quarter of healthcare organizations experiencing cyber-attacks impacting these devices in the past year. These attacks cause moderate to significant disruptions to patient care, ranging from delayed imaging to interruptions in critical care delivery. Legacy device vulnerabilities persist, with 44% of organizations using devices with known unpatched vulnerabilities and 28% operating devices past end-of-support. Recent high-profile incidents include Medtronic suffering a data breach after ShinyHunters listed the firm on its leak site in mid-April, exfiltrating over nine million records, and Stryker being impacted by the Iranian-sponsored Handala group in March, which wiped tens of thousands of corporate devices.
Show sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
Information Snippets
-
Ransomware attacks on healthcare organizations cause significant disruption beyond the targeted institution, affecting surrounding hospitals and entities.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
The impact of ransomware attacks is particularly severe in rural communities, where delayed treatments can lead to long-term health effects.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
Healthcare organizations must prioritize cybersecurity measures, including multifactor authentication (MFA) and basic cyber hygiene, to mitigate these risks.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
The healthcare sector faces unique challenges due to the presence of legacy systems, resource constraints, and the critical nature of patient care operations.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
Ransomware attacks can block access to essential systems, preventing patients from receiving vital care.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
The spillover effects of ransomware attacks can lead to overcapacity at surrounding hospitals, delayed treatments, and increased strain on healthcare resources.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
Health-ISAC tracked nearly 6,000 ransomware events across critical infrastructure organizations in 2024, with 446 specifically in healthcare.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
In the first half of 2025, 4,159 ransomware cases were recorded across all sectors, indicating a persistent and growing threat.
First reported: 27.08.2025 00:001 source, 1 articleShow sources
- When One Hospital Gets Ransomware, Others Feel the Pain — www.darkreading.com — 27.08.2025 00:00
-
One-in-four healthcare organizations experienced cyber-attacks impacting medical devices in the past year, causing moderate to significant disruption to patient care.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
80% of attacks affecting medical devices had a ‘moderate’ or ‘significant’ impact on patients, ranging from delayed imaging to interruptions in critical care delivery.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
44% of healthcare organizations use devices with known, unpatched vulnerabilities, and 28% operate devices past end-of-support.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
Medtronic suffered a data security incident after ShinyHunters listed the firm on its leak site in mid-April, with threat actors claiming to have exfiltrated over nine million records.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
Stryker was impacted by the Iranian-sponsored Handala group in March, which wiped tens of thousands of corporate devices after accessing an Intune admin account.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
57% of healthcare organizations have adopted AI-enabled or AI-assisted medical systems, with 80% expressing moderate to high concern about associated cybersecurity risks.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
-
56% of organizations rejected medical devices at procurement due to cybersecurity concerns, up from 46% the previous year.
First reported: 29.04.2026 13:051 source, 1 articleShow sources
- A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks — www.infosecurity-magazine.com — 29.04.2026 13:05
Similar Happenings
Ransomware attack disrupts University of Mississippi Medical Center operations
The University of Mississippi Medical Center (UMMC) has resumed normal operations nine days after a ransomware attack disrupted IT systems and blocked access to electronic medical records. All clinics statewide have reopened, and UMMC is working to reschedule missed appointments. The attack led to the cancellation of outpatient procedures, ambulatory surgeries, and imaging appointments, but hospital operations continued using downtime procedures. UMMC is investigating with assistance from CISA, the FBI, and the Department of Homeland Security. The attackers have communicated with UMMC, but no ransomware group has claimed responsibility. UMMC operates seven hospitals, 35 clinics, and over 200 telehealth sites statewide, including the state's only organ and bone marrow transplant program, the only children's hospital, the only Level I trauma center, and one of two Telehealth Centers of Excellence in the United States.
Shift to Stealthy, Long-Term Access in Cyberattacks
Picus Labs' Red Report 2026 reveals a strategic shift in cyberattacks from disruptive ransomware to stealthy, long-term access. Analyzing 1.1 million malicious files and 15.5 million adversarial actions, the report highlights a decline in ransomware encryption and an increase in techniques focused on evasion, persistence, and credential theft. Attackers now prioritize remaining undetected, exploiting identities and trusted infrastructure for extended periods. The report underscores the rise of 'Digital Parasites'—malware that operates quietly, avoids detection, and maintains access without causing immediate disruption. This shift signifies a change in attacker success metrics, from immediate impact to prolonged dwell time. Credential theft, process injection, and evasion techniques are now dominant, with 80% of top ATT&CK techniques favoring stealth. The report also notes the limited impact of AI in malware, emphasizing that attackers are winning through stealth and patience rather than advanced AI techniques.
Ransomware Payouts Surge to $3.6m Amid Evolving Tactics
The average ransomware payment has increased to $3.6 million in 2025, up from $2.5 million in 2024. This 44% surge comes despite a decline in the overall number of attacks, indicating a shift towards more targeted and higher-stakes operations. The 2025 Global Threat Landscape Report from ExtraHop highlights that cybercriminals are adopting more disciplined strategies, focusing on fewer but more impactful attacks. Organizations in critical sectors, such as healthcare, government, and finance, are experiencing the most significant financial burdens, with average payouts reaching nearly $7.5 million in some cases. The report also identifies public cloud infrastructure, third-party integrations, and generative AI applications as the top sources of cybersecurity risk, complicating defense efforts.
Phishing and vulnerability exploitation dominate EU intrusions
Phishing and vulnerability exploitation were the primary methods of initial access in cyber-attacks against EU organizations over the past year. ENISA's Threat Landscape 2025 report analyzed 4875 incidents from July 1, 2024, to June 30, 2025. Phishing accounted for 60% of intrusions, followed by vulnerability exploitation at 21%. Outdated mobile devices and operational technology (OT) systems were identified as high-value targets. AI-powered phishing represented over 80% of social engineering activity worldwide by early 2025. The report also highlighted the growth of attacks targeting critical dependency points in the digital supply chain. DDoS attacks were the most frequent, accounting for 77% of reported incidents, with hacktivists being the dominant threat actor type.
Qilin ransomware group targets multiple organizations, including South Korean financial sector and Romanian oil pipeline operator Conpet
The Qilin ransomware group has confirmed the theft of nearly **1TB of data** from **Conpet S.A.**, Romania’s national oil pipeline operator, following a cyberattack on February 5, 2026. While the company’s **operational technologies (SCADA and telecommunications) remained unaffected**, the breach compromised corporate IT systems, exposing internal documents—including financial records and passport scans—some dated as recently as **November 2025**. Conpet has warned of potential fraud risks stemming from the stolen data and is working with Romania’s **National Cyber Security Directorate (DNSC)** to investigate the incident. This attack is part of Qilin’s broader 2025–2026 campaign, which has targeted high-profile victims across **62 countries**, including **Asahi Group (Japan)**, **Mecklenburg County Public Schools (U.S.)**, **Creative Box Inc. (Nissan subsidiary)**, and **Synnovis (UK pathology provider)**. The group employs **hybrid tactics**, such as abusing **Windows Subsystem for Linux (WSL)** to deploy Linux encryptors on Windows systems, **BYOVD (Bring Your Own Vulnerable Driver) exploits**, and **supply-chain compromises via Managed Service Providers (MSPs)**. Qilin’s **double-extortion model**—combining encryption with data leaks—has disrupted critical infrastructure, manufacturing, and financial sectors, with **over 700 confirmed victims in 2025 alone**. Recent developments include **politically charged leaks in South Korea** and **collaborations with affiliates like Scattered Spider**, underscoring the group’s evolving threat to global cybersecurity.