The Health-ISAC's (Health Information Sharing and Analysis Center's) newly released 2025 Annual Report, coupled with its 2026 Global Health Sector Cyber Threat Landscape report, paints an industry under pressure from ransomware attacks, nation-state actors, and a supply chain attack surface that continues to widen faster than most organizations can manage.
First up? Ransomware: Health-ISAC tracked 455 ransomware events across the health sector in 2025 as part of the broader 55% surge in total cyber incidents compared to the year prior. That's the bad news. Now the good news: raw breach impact as measured by records exposed fell sharply in 2025. However, it may be premature to pop the champagne bottles just yet. That drop is largely due to 2024's numbers being dramatically inflated by the Change Healthcare mega-breach.
The five most active ransomware groups, as identified in the Health-ISAC 2026 Global Health Sector Cyber Threat Landscape report, are Qilin, INC Ransomware, SAFEPAY, Sinobi, and WorldLeaks, collectively accounting for nearly half of all recorded health-sector ransomware victims.
Qilin's trajectory is revealing. The Russian-speaking ransomware-as-a-service group went from 23 health-sector victims in 2024 to 77 in 2025 — a 235% year-over-year increase. INC Ransomware, which held the second-most-disruptive ranking in both years, grew its victim count by 11%. SAFEPAY is the wildcard: first observed in September 2024 with just three health-sector victims, the group posted 23 attacks in 2025, a more-than-sixfold increase that should put defenders on notice heading into 2026.
Two newer groups made their mark. Sinobi, first observed in Q3 2025, amassed 21 victims in just two fiscal quarters and shows no sign of slowing. WorldLeaks, suspected to be a rebrand of the Hunters International group, has pivoted to a single-extortion model focused on data theft rather than encryption — a tactic that sidesteps many recovery playbooks entirely. Sophos's State of Ransomware in Healthcare 2025, based on 292 healthcare IT and security leaders, found the proportion of healthcare providers hit by extortion-only attacks tripled to 12% in 2025, up from just 4% in 2022, confirming that WorldLeaks is not an outlier but part of a broader strategic shift among ransomware operators.
There is some more good news. There is a noticeable absence of LockBit. The group that dominated the health sector in 2022, 2023, and 2024 registered zero confirmed incidents in 2025 — likely a result of coordinated law enforcement action in early 2024. Sophos also found about 36% of healthcare providers paid a ransom in 2025, down from 61% in 2022. Industry-wide, just 23% of ransomware victims across all sectors paid in Q3 2025 — a record low.
The Supply Chain Weak Link
The continued, deliberate pivot by threat actors toward supply chain exploitation defined 2025. The Cl0p group's exploitation of vulnerabilities in Cleo Managed File Transfer software tells the tale: by compromising a single, widely deployed vendor platform, Cl0p was able to wrap hundreds of victim organizations into a single mass-extortion campaign. The Episource breach — a ransomware-driven intrusion between January and February 2025 — exposed data from over 5.4 million individuals through a single risk-adjustment services vendor.
The Verizon 2025 Data Breach Investigations Report, drawing on 22,052 incidents and 12,195 confirmed breaches — the largest dataset in the report's history — found third-party involvement in breaches doubled year-over-year. That independently corroborates Health-ISAC's characterization of vendor compromise as the defining tactical pattern of 2025.
Nation-States, Geopolitical Spillover, and Physical Threats
North Korea's remote IT worker campaign, designed to generate revenue for Pyongyang's weapons programs, was — by member accounts — an ongoing problem for nearly every organization in the Health-ISAC community throughout 2025. The campaign expanded beyond the U.S. and grew in scope, according to research from Okta. Multiple organizations reported fraudulent remote workers on their payrolls.
The Israel-Iran war in June 2025 — Israel's Operation Rising Lion — immediately generated hacktivist spillover against health-sector targets. Groups including the Killnet Collective and pro-Iran outfit Cyber Islamic Resistance launched DDoS and destructive attacks against Israeli health organizations. Some attackers deployed one-way ransomware — malware designed not to decrypt, but to destroy — against Israeli critical infrastructure.
The Chinese government's fingerprints appeared on the Microsoft SharePoint ToolShell vulnerability (CVE-2025-53770), which carried a CVSS score of 9.8 and was being actively exploited as a zero-day at the time of disclosure. Microsoft attributed active exploitation to China-linked groups including Linen Typhoon, Violet Typhoon, and a third group designated in the report as Strom-2603 — a name that may reflect a transcription error for Storm-2603 and warrants verification against Microsoft's official threat actor registry before final publication.
Looking Forward
Health-ISAC's member survey of nearly 250 executives and cybersecurity professionals, conducted in November 2025, found that while ransomware topped the list of 2025 concerns, AI-enabled attacks moved to the number one concern for 2026, displacing ransomware to second place. CrowdStrike documented a 442% surge in phishing attacks powered by AI between the first and second halves of 2024, suggesting that AI capability is already being deployed at scale against healthcare.
The CrowdStrike faulty update from July 2024 continues to cast a shadow over resilience planning: 69% of survey respondents reported their organization was affected, 80% said electronic health records were impacted, and 64% experienced disruptions lasting more than one day. Despite those numbers, only 60% expressed confidence in their ability to withstand a similar event today.
The growing gap between the threat environment and organizational readiness remains the defining challenge heading into 2026. Attack and threat volume is up, the tactics are targeted, and adversaries certainly aren't going to wait around for the health sector to close it.
