A new report from cybersecurity company Sophos shows that extortion cases in the healthcare sector continue to grow, with the share of providers whose data was stolen but not encrypted tripling since 2023. This rate is the highest among all industries covered in the study.
“Healthcare continues to face steady and persistent ransomware activity,” said Alexandra Rose, director of the Sophos Counter Threat Unit (CTU). “Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences.”
Sophos said the long-standing staffing shortage in healthcare contributes to the problem. The most common reason providers fell victim to ransomware was lack of capacity, with 42% saying they did not have enough cybersecurity staff monitoring systems during the attack.
The impact on workers is also being felt. According to the report, 37% of healthcare respondents said ransomware incidents increased their anxiety or stress about future attacks. Nearly a quarter said the stress led to staff absences.
Despite the challenges, the report noted signs of improvement in how healthcare providers respond to ransomware.
“It’s also encouraging to see signs of stronger resilience,” Rose said.
Recovery times have improved, with 58% of healthcare organizations recovering within a week in 2025, up from 21% in 2024.
Ransom demands and recovery expenses are lower. The median ransom demand dropped by 91% to about $345,000. Recovery costs also fell to their lowest level in three years.
Data encryption during attacks is also declining. Only 34% of healthcare organizations reported their data was encrypted, the lowest level in five years.
Fewer healthcare providers are paying ransom. This year, 36% of affected organizations paid, down from 61% in 2022. More than half of those that paid settled for less than the original demand.
Sophos X-Ops tracked 88 ransomware groups targeting healthcare over the past year. The most active based on leak site activity were GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom), and GOLD HUBBARD (RansomHub). The company said attackers often use vulnerability exploitation, phishing, social engineering, brute force attempts, drive-by downloads, and stolen credentials.
“In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning,” Rose said. “In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.”