A new report has highlighted a sector under sustained attack, but with a notable shift in attacker behavior. France is also revealed as the nation with the biggest uptick attacks on its health service.
Comparitech’s 2025 Healthcare Ransomware report shows that while attacks on healthcare businesses and providers appeared frequently over the last couple of years, in 2025, healthcare provider ransom demands averaged $615,000, and healthcare business demands averaged $584,700.
This is significantly lower than the $3.9 million average recorded in 2024.
According to the report’s author, head of data research Rebecca Moody, this 84% drop in average demands year-on-year suggests ransomware groups may be prioritizing speed and volume over large individual payouts.
“The increased speed and volume of attacks, as threat actors turn to the likes of AI and ransomware-as-a-service to scale their operations, perhaps goes some way to explaining why we’ve seen such a reduction in the average ransom amount. Larger volumes = lower ransoms."
Rebecca Moody, head of data research, Comparitech
“Equally, by issuing these lower demands, hackers are likely increasing their chances of securing a ransomware payment," she added.
16.5m healthcare records breached in 2025
Despite lower ransom demands, data exposure remained severe. Across confirmed attacks on healthcare providers, more than 10 million patient records were breached in 2025.
Meanwhile, healthcare businesses experienced 191 attacks, an increase of 25% from 2024 (153).
Of these, only 40 attacks were confirmed, with 151 unconfirmed. Yet, the confirmed incidents still accounted for 6.5 million breached records – showing that even limited reporting can mask substantial impact.
In terms of criminal gangs, the most common ransomware strains targeting healthcare providers were Qilin (66), INC (45), SafePay (29), Sinobi (24), and Medusa (18).
France sustained spike in cyberattacks on health service
France showed one of the most notable shifts in 2025, recording ten healthcare provider ransomware attacks, up from four in 2024, a 150% increase, making it one of the fastest-growing hotspots in the dataset.
While France did not match the US in overall volume (and US laws make reporting data breaches mandatory when they meet certain thresholds), the sharp rise suggests that attackers increasingly view French healthcare as a high-value target, particularly because ransomware can disrupt clinical services.
France also featured among the largest ransom demands, including the EHPAD Résidence du Parc case in December 2025, where unknown hackers reportedly issued a $5 million demand, highlighting that high-pressure, high-impact attacks remain a serious threat despite falling averages.
The US remained the dominant ransomware target in 2025, with 292 healthcare provider attacks, far ahead of every other country recorded. The scale of US incidents was reinforced by some of the year’s biggest breaches, including Episource (5.4M affected), DaVita (2.7M), and SimonMed Imaging (1.3M), showing how attacks on large providers or healthcare technology firms can result in mass exposure of records.
Finally, the report noted that of the ten most significant ransomware attacks last year, most occurred in the first half of 2025, highlighting the time lag between attacks and breaches being reported.
Earlier research by the pro-consumer data cruncher found that US healthcare companies take an average of 3.7 months to disclose breaches after a ransomware attack.
Your email address will not be published. Required fields are markedmarked