While ransomware attacks are increasing across most industries, a new analysis by Comparitech reveals that the healthcare sector is experiencing a notably slower growth in such incidents during the first half of 2025. Instead, cybercriminals appear to be pivoting toward more lucrative or accessible targets—most notably, the retail sector.

Comparitech’s data shows that ransomware attacks on healthcare organizations rose by only 4% compared to the same period in 2024, reaching a total of 211 incidents. In contrast, ransomware activity surged by 50% across all sectors.

Among the most heavily targeted industries were technology and retail (both with 85% growth), legal services (71%), transportation (66%), manufacturing (64%), and government (60%). Interestingly, the utilities sector was the only one to see a decline, down 31%.

A Shift in Attacker Priorities

Rebecca Moody, Head of Data Research at Comparitech, attributes the slowdown in healthcare attacks to several factors. In addition to cybercriminals viewing retail as a softer or more profitable target, Moody points to increased security awareness within the healthcare sector following major incidents in 2024. Notable attacks on Change Healthcare in the US and Synnovis in the UK have likely prompted many healthcare organizations to harden their defenses.

Furthermore, attackers are increasingly targeting businesses connected to—but not directly providing—healthcare services. These include pharmaceutical firms and medical device manufacturers, whose breaches can have cascading effects on multiple providers. Moody cited the ransomware incident involving Episource in January 2025, where more than 5.4 million patient records were compromised via a single breach.

Despite the slower growth, Moody warns that the healthcare sector remains highly vulnerable. Groups like INC and Medusa have continued to launch successful attacks on hospitals and direct-care providers.

Ransom Demands Lower Than Other Industries

According to Comparitech’s July 17 report, the average ransom demand in healthcare for the first half of 2025 was $479,000—significantly lower than the $1.6 million average across other sectors. For confirmed cases, the average rose to $608,000.

No ransom payments were verified during this period, though 10 organizations publicly stated they refused to pay. The highest known demand came from the Medusa group, which asked UK-based HCRG Care Group for $2 million. Another major incident involved Crazy Hunter demanding $1.5 million from Taiwan’s MacKay Memorial Hospital.

Out of the 24 known ransom demands in H1 2025, more than half (13) were attributed to Medusa. Moody added that figures from major cases like those involving DaVita and Kettering Health are still pending, which could raise the overall average once released.

Over 2.3 Million Records Exposed in Confirmed Attacks

Of the 211 tracked incidents, 68 have been publicly confirmed. These breaches resulted in the exposure of more than 2.3 million healthcare records. The largest of these involved Frederick Health, where nearly one million patient records were compromised in January.

The group INC Ransom was the most active ransomware actor in the sector, claiming responsibility for 34 attacks—10 of which were confirmed. They were followed by Qilin (25 claimed, 10 confirmed), SafePay (14), RansomHub (13), and Medusa (13).

Qilin was linked to the highest volume of exposed records (over 555,000), followed by SafePay with 260,000.

The United States was by far the most affected country, accounting for 66% of the total attacks (139 incidents). Australia and the UK followed, with 10 and 7 attacks respectively.

Source: https://www.infosecurity-magazine.com/news/retail-target-healthcare/