Healthcare Under Siege: Report Reveals Escalating Cyber War on Patients

ORLANDO, Fla. – January 26, 2026 – The global healthcare sector is facing an unprecedented wave of sophisticated cyberattacks that are directly threatening operational continuity and patient care, according to a stark new report from Health-ISAC. The organization's 2026 Global Health Sector Threat Landscape Report, released today, paints a grim picture of a system under constant digital siege, with ransomware, third-party vulnerabilities, and novel social engineering tactics creating life-or-death business continuity crises.

The report tracked a staggering 455 ransomware incidents targeting health organizations worldwide in 2025 alone. The findings confirm that cybercriminals are no longer just stealing data; they are crippling the very infrastructure designed to save lives.

“The Health sector has become one of the most targeted sectors in the world, not because it’s the easiest, but because the consequences of disruption are so severe,” said Errol Weiss, Chief Security Officer at Health-ISAC, in a statement accompanying the release. “This report is a clear warning: cyber threats are no longer isolated events. They represent life-saving business continuity crises that can impact patient care, staff safety, and public trust.”

The Human Cost of Digital Sieges

The abstract threat of a data breach has materialized into tangible harm for patients and providers. The report's findings are vividly illustrated by a series of devastating attacks in 2025 that caused widespread disruption. In May, the Qilin ransomware group attacked Covenant Health, a system with hospitals across Maine, New Hampshire, and Massachusetts. The attack forced system shutdowns, leading to canceled appointments and significantly increased wait times in emergency rooms as staff reverted to paper records.

This was not an isolated incident. Michigan's McLaren Health Care suffered its second ransomware attack in two years, this time at the hands of the INC Ransom group. These events underscore a terrifying new reality where a cyberattack can be as disruptive as a natural disaster, grinding clinical operations to a halt. As one cybersecurity analyst noted, the industry has seen a shift from opportunistic attacks to highly coordinated operations, with threat actors treating healthcare as a “high-value supply chain” for disruption and profit.

“Cyber hygiene is as important as medical hygiene to help protect patients from harm,” a national advisor for hospital cybersecurity recently stated, emphasizing that the front lines of patient care now extend into the digital realm.

A Multi-Front War: Ransomware and Supply Chain Breaches

Ransomware remains the most damaging and persistent threat, with cybercriminal syndicates like Qilin, INC Ransom, and SAFEPAY relentlessly targeting healthcare entities. These groups operate with impunity, knowing the immense pressure on hospitals to restore services quickly makes them more likely to pay a ransom. According to industry data, ransomware attacks on healthcare businesses saw a 30% rise in the first nine months of 2025 compared to the previous year.

However, the Health-ISAC report emphasizes that the danger often comes from outside an organization's own walls. Adversaries are increasingly exploiting the weakest link: the sprawling network of third-party vendors and software suppliers that form the backbone of modern healthcare. Breaches at IT vendors like Episource, LLC, and Conduent Business Services in early 2025 exposed the sensitive data of 5.42 million and 10.5 million individuals, respectively. These supply chain attacks provide a force multiplier for criminals, allowing them to compromise dozens of healthcare providers by breaching a single, interconnected partner.

This systemic vulnerability means that even organizations with robust internal security remain exposed through a trusted partner, a widely used software platform, or a managed service provider. This reality forces a paradigm shift, requiring healthcare organizations to scrutinize the security posture of their entire ecosystem.

The Evolving Playbook of Deception

As technical defenses improve, attackers are doubling down on the most reliable vulnerability: human behavior. The report highlights the emergence of sophisticated deception-based attacks designed to bypass traditional security controls and employee training. One of the most prominent new tactics is “quishing,” or QR code phishing. Malicious QR codes are embedded in emails or even physical posters, tricking employees into scanning them with their phones, which then directs them to credential-stealing websites, effectively bypassing email security gateways.

Beyond quishing, the report warns of new social engineering techniques dubbed ClickFix and FileFix, which manipulate user psychology to trick them into executing malware. These tactics exploit a user's instinct to resolve a problem, presenting fake error messages or security alerts that prompt the user to click a link or open a file that unleashes the malicious payload. This evolution in social engineering challenges the effectiveness of standard security awareness programs, which may not prepare employees for such deceptive and contextually aware lures.

The Looming Shadow of AI

Looking ahead, the report reveals a deep and growing concern among healthcare leaders about the weaponization of artificial intelligence. In a survey of nearly 250 health executives and cybersecurity professionals, AI-enabled tactics were ranked as the number one concern heading into 2026. Experts warn that generative AI is already being used to craft hyper-realistic phishing emails, automate large-scale attacks, and even create counterfeit medical records or manipulate diagnostic images.

AI not only makes attacks more convincing and scalable but also more difficult to trace, as AI-enabled malware can be designed to leave a minimal forensic footprint. “Cybercriminals are increasingly weaponizing generative AI tools to target healthcare systems and sensitive patient data,” warned one security operations executive. This creates a challenging arms race, as defenders must also leverage AI to detect threats faster and more accurately, using it to shrink the “haystack” of data to find the malicious “needle.” The rapid adoption of AI by both attackers and defenders is expected to exacerbate existing cybersecurity and privacy gaps within the healthcare sector.

Fortifying the Front Lines

In response to this escalating threat landscape, regulators and industry bodies are intensifying efforts to bolster the sector's defenses. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is providing enhanced guidance and risk assessments for the Healthcare and Public Health (HPH) sector. Globally, the World Health Organization's European Region has launched a new framework to help nations and organizations assess and strengthen their cybersecurity maturity.

Furthermore, new regulations are holding medical device manufacturers to a higher standard. As of 2025, any “cyber device” submitted for FDA approval must include a comprehensive cybersecurity plan, including a software bill of materials (SBOM) and a strategy for providing patches and updates. This mandate aims to build security into medical devices from the ground up, rather than treating it as an afterthought.

For healthcare organizations, the path forward requires a multi-layered strategy focused on resilience. This includes establishing a strong security culture, implementing robust access controls, maintaining rigorous third-party risk management programs, and developing and testing incident response plans. With digital threats now inextricably linked to patient outcomes, building a secure and resilient healthcare ecosystem has become a critical mission for public health.