The healthcare sector continues to be a prime target for cyberattacks with an increase in incidents and breaches in 2024. System intrusion, which includes ransomware, is now the top cause of healthcare data breaches, according to Verizon's 2025 Data Breach Investigations Report (DBIR).
Ransomware attacks across all industries rose by 37% and are now present in 44% of breaches, despite a noticeable decrease in the median ransom amount paid, the report found.
"Healthcare continues to be a favorite target for this kind of attacker, and the urgent need for access to data in emergency situations only adds to the pressure healthcare organizations feel when their systems are all unavailable and they must resort to more old-school processes," the report authors wrote.
Overall, across industries, the median amount paid to ransomware groups decreased to $115,000 (from $150,000 the year before). Verizon researchers found that 64% of the victim organizations did not pay the ransoms, which was up from 50% two years ago. This could be partially responsible for the declining ransom amounts.
Ransomware is also disproportionately affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while small and medium-sized businesses experienced ransomware-related breaches to the tune of 88% overall.
The healthcare sector had 1,710 security incidents, 1,542 with confirmed data disclosures between Nov 1, 2023, and Oct 31, 2024. That's up from 1,378 security incidents and 1,220 data breaches the same period a year prior.
The 2024 time frame includes the massive cyberattack on Change Healthcare, which is owned by UnitedHealth Group and impacted an estimated 190 million individuals.
Feb. 21, 2024, Change Healthcare's systems were taken offline, and its parent company, Optum, disclosed the following day that a cybersecurity issue was behind the outage. UnitedHealth Group initially pinned the blame for the attack on a "nation-state" affiliated actor before acknowledging on Thursday that it was caused by BlackCat, a notorious cybercriminal gang also known as ALPHV or Noberus.
In fact, healthcare had the second-highest number of data breaches in 2024, just below the manufacturing sector with 1,607, according to Verizon's report.
Verizon's report analyzed more than 22,000 security incidents, including 12,195 confirmed data breaches, across multiple industries. Third-party involvement in breaches has doubled to 30%, highlighting the risks associated with supply chain and partner ecosystems, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally, the report said.
The 2025 DBIR also shed light on industry-specific trends, revealing an alarming rise in espionage-motivated attacks in the manufacturing and healthcare sectors. Espionage-motivated breaches now make up 17% of overall breaches across all industries.
"This rise was, in part, due to changes in our contributor makeup. Those breaches leveraged the exploitation of vulnerabilities as an initial access vector 70% of the time, showcasing the risk of running unpatched services. However, we also found that Espionage was not the only thing state-sponsored actors were interested in—approximately 28% of incidents involving those actors had a financial motive. There has been media speculation that this may be a case of the threat actors double-dipping to pad their compensation," the report authors wrote.
When looking at the motivations of attackers, within the healthcare sector, 90% of threat actors' motives were financial, according to the report, while espionage jumped from just 1% in 2023 to 16% last year.
"This may mean the industry is being targeted by a new kind of threat actor—one often not as easily detected as, say, that ransomware actor who leaves chaos in their wake. However, it may also be an indication of the changes to our data contributors over time," the report authors wrote.
The report findings also highlight the cyber risks of suppliers and partners for healthcare organizations.
"These third-party breaches impacted a huge number of organizations and patients and made headlines all year long. When we look at notable publicly disclosed data breach incidents that affected healthcare this year, the partner angle is right out in front. Attackers clearly don’t have any ethical qualms about deploying their tools against not only healthcare providers but also the companies they rely upon to get their jobs done," the report authors wrote.
Those notable breach cases affected radiology service providers, pharmaceutical firms, IT providers, medical transportation firms and pharmacies. "These high-profile partner breaches have caught some organizations flat-footed as the downstream victims. Whether it is the data of their patients that are compromised or the access to their systems (or both), organizations need to include “what happens if this partner is attacked” in their planning scenarios," the report authors wrote.
Verizon Business's 2025 DBIR serves as a wake-up call for businesses to take immediate action to strengthen their cybersecurity posture and mitigate the risks posed by evolving cyber threats.
"The DBIR's findings underscore the importance of a multi-layered defense strategy," said Chris Novak, vice president, global cybersecurity solutions, Verizon Business, in a statement. "Businesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees."
There have been notable healthcare data breaches just in the past few months. Yale New Haven Health, based in Connecticut, recently disclosed a data breach impacting the personal information of millions of patients.
March 8, the health system identified unusual activity affecting its IT systems, and an investigation determined that an unauthorized third party gained access to the network and obtained copies of certain data. Those threat actors accessed sensitive patient information including names, Social Security numbers, dates of birth and medical record numbers, the health system said in a data breach notice.
The health system data breach impacted an estimated 5.5 million patients, according to a submission on the Department of Health and Human Services' Office for Civil Rights' breach portal.
April 14, kidney dialysis company DaVita reported it had been the victim of a ransomware incident affecting and encrypting certain on-premises systems. The company said it is working to assess whether any patient protected health information or employee personal data were involved in the incident and any resulting notice obligations.
Comparitech reported that ransomware gang Interlock claimed responsibility for the attack on DaVita and alleges to have stolen 1.5 TB of data, which includes 683,104 files and 75,836 folders.
Blue Shield of California recently disclosed that it shared members' private health information with Google for nearly three years. The data leak potentially impacts the protected health information of 4.7 million people.
Data breaches also have a huge legal and financial toll on companies. Poor cybersecurity is costing U.S. organizations millions of dollars in fines, settlements costs and individual payouts, according to a new report from Panaseer, an enterprise cybersecurity automation and data analytics company.
Panaseer examined all data breach class action filings from ClassActions.org and settlements from Top Class Actions between August 2024 and February 2025. During this period, 43 lawsuits were filed, and 73 settlements were reached. U.S. organizations have paid a total of $154,557,500 in class-action lawsuits related to data breaches over the last six months. Settlements averaged around $3 million, with the largest reaching $21 million. Individual payouts to affected employees or customers ranged from $150 to $12,000, holding companies financially accountable for exposing sensitive data, the report found.
The analysis found that healthcare (32.7%), finance (13.2%) and retail (5.3%) were hit the hardest, facing the most lawsuits and the highest fines
The most common violations leading to legal action were inadequate cybersecurity measures (50% of filings, 97% of settlements and failure to encrypt data (40% of filings, 1% of settlements) and delayed breach notifications (10% of filings, 3% of settlements), the Panaseer report found.