Healthcare hit by ransomware every 10 hours, Securin says

Securin has published research on cyberattacks against healthcare organisations, finding the sector faced an attack about every 10 hours.

The report examined 592 incidents attributed to 94 ransomware groups between January 2025 and February 2026. More than half of the attacks targeted US-based organisations.

Ransomware accounted for 58.9% of the incidents in the dataset, making it the largest single attack type in the analysis. Healthcare organisations continue to face repeated disruption because criminal groups are exploiting weaknesses that are already known and, in many cases, fixable.

All ransomware attacks on healthcare in the last quarter of the study involved vulnerabilities listed in the US government's Known Exploited Vulnerabilities catalogue. The report identified 29 vulnerabilities under active exploitation and found that the most common route into healthcare systems was through authentication bypass and weaknesses in VPN and remote access systems.

VPN and remote service exploitation accounted for 32% of initial access. Compromised credentials or purchased access accounted for 28%, while phishing accounted for 18%.

The findings also point to a consistent pattern once attackers gain entry. Incidents commonly followed the same sequence: initial access, credential harvesting, lateral movement, data exfiltration and then encryption.

That sequence has become predictable enough for some groups to repeat across multiple victims. The report named Qilin, Incransom and Cl0p among the groups that carried out scaled attacks by exploiting the same vulnerability across several organisations.

Known Weaknesses

A central conclusion of the report is that attackers are not relying on novel methods. Instead, they are repeatedly exploiting documented weaknesses long after patches or mitigations have become available.

"Ransomware in healthcare has become a repeatable business model," said Dr Srinivas Mukkamala, Chief Executive Officer of Securin. "Attackers are walking through doors that were left open - and getting paid for it. Once they're inside, the disruption is so severe that organisations are often forced into costly decisions, in many cases tied to issues that could have been addressed earlier."

The economics of that disruption are a recurring theme in the data. Healthcare organisations pay ransoms at a rate of 68% to 72%, compared with about 40% in other sectors.

That gap helps explain why hospitals and healthcare providers remain attractive targets. Medical records can sell for USD $250 to USD $1,000 each, while hospitals can lose USD $1 million to USD $2 million a day during operational disruption.

Those costs can outweigh the ransom demand in the short term, creating pressure to restore systems quickly. The report argues that this dynamic rewards attackers and encourages more campaigns against the sector.

Access Market

The research also highlighted the role of the criminal market for network access. In many cases, access to healthcare systems is bought for between USD $2,000 and USD $50,000, reducing the cost and effort required for a ransomware operation.

That relatively low entry cost means attackers do not need to discover new software flaws to launch damaging campaigns. They can buy stolen credentials, use already disclosed vulnerabilities or exploit exposed remote services to gain a foothold.

Authentication bypass was the most common entry point in the incidents reviewed. Attackers also continued to exploit the same weaknesses long after vendors and security agencies had published alerts.

The findings add to broader concerns in the healthcare sector about patch management, legacy systems and the operational constraints that can delay security updates. Hospitals often operate complex environments where taking systems offline for maintenance can affect patient care, making routine remediation more challenging than in other industries.

Even so, the study concludes that the main issue is not a lack of technical fixes. Instead, it frames the problem around incentives, downtime costs and the continued willingness of organisations to pay after an attack.

By Securin's account, healthcare remains one of the most dependable sectors for extortion because the consequences of service interruption are immediate and costly. Faced with that pressure, many organisations choose the fastest route to recovery, even when the entry point was a vulnerability already known to defenders.