Cyberthreat actors shift from ransomware to patient extortion: Report

Today's cyberthreat actors are moving away from simple encryption methods and toward individual patient extortion, service disruptions and affiliate models, Trellix said in a new threat intelligence report. 

Trellix based its report on 54.7 million detections across multiple Trellix security products installed in healthcare settings. About 75% of the detections originated from U.S.-based customers, highlighting the aggressive targeting of U.S. healthcare organizations. 

The report identified 109 unique campaigns engineered to compromise healthcare infrastructure in 2025, and notable spikes in activity in the first half of 2025. Phishing remained the primary attack vector, with cyberthreat actors increasingly using AI and regulatory compliance themes to trick administrative staff. 

Patient extortion is a growing trend, Trellix noted, as cyberthreat actors can bypass negotiations with legal teams and insurers and instead demand small sums of money directly from patients. In 2025, extortion-only attacks on healthcare providers accounted for 12% of all healthcare cyberattacks, Trellix found, representing a 300% increase since 2023. 

According to Trellix, the shifts in 2025 can be partially explained by an overhaul of the ransomware-as-a-service ecosystem, which "underwent a violent reorganization following the high-profile fallout of the Change Healthcare breach." 

This change led to more aggressive, affiliate-centric models, as reflected in the 2025 data, which revealed persistent, high-volume threats targeting healthcare's unique vulnerabilities. 

Those unique vulnerabilities include an ongoing reliance on legacy technology and an increasingly complex ecosystem of medical devices and operational technologies, both of which can expose organizations to greater risk. 

But the defining trend of 2025, according to the report, was the "cascading effect," in which attacks against administrative networks or non-clinical systems, such as a building's HVAC system, could significantly disrupt a healthcare organization's operations. 

"These disruptions were not merely financial; they were lethal," the report stated.  

"Research confirmed that hospitals affected by cyberattacks, including cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC) incidents, saw a 29% increase in mortality rates for inpatients, and neighboring hospitals experienced an 81% surge in cardiac arrest cases due to emergency diversions." 

Healthcare cyberattacks remain extremely costly and dangerous, and 2025 cyberthreat trends reaffirmed the link between effective cybersecurity and patient safety.  

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.