kras99 - stock.adobe.com
Healthcare ransomware attacks surge 14% amid growing cyberthreats
A new report shows that healthcare organizations have faced 410 ransomware attacks in the first half of 2026, as regulatory efforts to bolster healthcare cybersecurity stalled.
Healthcare cyberattacks have shown no sign of slowing in 2026, according to a new report from Comparitech. The company's worldwide ransomware tracker recorded a 14% increase in healthcare ransomware attacks, from 360 in the first half of 2026 compared to 410 in the second half of 2025. Healthcare organizations faced an average of 2.3 ransomware attacks per day.
Of the 410 recorded ransomware attacks, 247 targeted hospitals, clinics and other direct care providers, while 163 affected other healthcare businesses, such as pharmaceutical manufacturers, health tech companies and medical billing providers.
While the industry as a whole saw an increase in ransomware attacks, that increase was largely driven by attacks against healthcare businesses and vendors. Ransomware attacks on healthcare providers worldwide rose just 3% from the second half of 2025, while attacks targeting healthcare businesses rose 36%. In the U.S., attacks on healthcare providers actually dropped by over 7%.
Still, the U.S. saw the highest number of attacks overall, accounting for 225 of the 410. Cyberthreat groups Qilin, The Gentlemen, LockBit and INC were the most active in the first half of 2026, the report showed.
The report is the latest addition to a growing body of research and threat briefs that show why healthcare organizations should remain on high alert.
More health data threats arise
In addition to the Comparitech research, other industry reports have shown that healthcare organizations are struggling to balance growing cyber risk with adequate mitigation efforts.
For example, a new report from Fortified Health Security showed a 60% increase in critical and high-risk vulnerability findings in the first half of 2026 compared to last year.
The increase in findings indicates that organizations are improving their ability to identify vulnerabilities and risk areas. However, risk remediation dropped to 6.4% in the first quarter of 2026, down from 23.3% in the same period in 2025, indicating they still struggle to obtain the resources to fix them.
In other cyberthreat news, the National Security Agency, alongside various national and international cybersecurity leaders, issued a warning on July 13 that Russian state-sponsored hackers are exploiting poorly configured networking devices worldwide, "opportunistically compromising multiple critical infrastructure sector networks."
Healthcare is one of the handful of critical infrastructure sectors that the NSA said is most at risk.
Regulatory efforts on pause
As healthcare faces mounting cyber threats, major regulatory updates that would have changed how the industry responds to threats are now on the back burner for another year.
In January 2025, the HHS Office for Civil Rights proposed modifications to the HIPAA Security Rule to address the increasing frequency of healthcare cyberattacks and strengthen security requirements for covered entities to account for modern-day threats.
The final rule, which was expected to be released in May 2026, has now been pushed back to July 2027, according to the Office of Management and Budget website.
The rule would have incorporated sweeping changes that would require covered entities to meet stricter standards -- from mandating annual penetration tests and a specific risk analysis methodology to requiring multifactor authentication.
The proposal was met with mixed feedback from the industry. In December 2025, more than 100 hospital systems, provider organizations and associations urged HHS Secretary Robert F. Kennedy, Jr., to rescind the Biden-era proposed rule in favor of conducting a collaborative outreach initiative to develop actionable cybersecurity standards without increasing regulatory burden.
HHS stood its ground, with OCR Director Paula M. Stannard saying at the HIMSS conference in March 2026 that "there's a very high cost of doing nothing."
At the time, Stannard said that OCR had yet to decide which, if any, of the proposals would ultimately be finalized, but stressed that the proposal's core principles remain sound best practices for healthcare entities.
Now, healthcare organizations have been left in limbo for another year as healthcare cyberattacks continue to impact the sector.
Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.