Healthcare organizations experienced the highest level of cyber targeting in 2025, with the sector accounting for 27% of incidents and recording the highest average ransom payments at $1,154,245.
Healthcare Sector Cyber Incident Data
The BakerHostetler 2026 Data Security Incident Response Report reviewed more than 1,250 data security incidents handled by the firm in 2025. Healthcare accounted for the largest share of incidents at 27%, followed by finance and insurance at 18%. Healthcare has maintained the highest level of cyber targeting among all industries for more than a decade.
More than 700 healthcare data breaches were recorded during the year. Breaches affecting 500 or more individuals declined for the second consecutive year, although the decrease was limited. Average ransom payments increased across all sectors from $501,338 in 2024 to $682,702 in 2025. Healthcare organizations reported 69% higher ransom payments than other sectors in 2025, reaching $1,154,245.
Ransomware and Extortion Payment Trends
Ransom demands reached higher levels in 2025, with the largest demand reported at $98 million. This exceeded the highest demand recorded in 2024, which was $40 million. The largest ransom payment made in 2025 was $5.65 million, which was lower than the largest payment reported in 2024 by over $20 million.
Payment behavior shifted during the year. In 2024, 43% of ransomware victims paid to obtain a decryptor, while 34% paid to prevent the release of stolen data. In 2025, 31% paid for a decryptor, 43% paid to prevent publication of stolen data, and 26% paid for both data recovery and prevention of a data leak.
Across all ransomware and extortion incidents, 64% involved data theft that triggered notification obligations to affected individuals.
Threat Actor Activity and Tactics
Threat actors spent less time within breached networks, from 36 days in 2023 to 22 days in 2025. This reduction reflects adjustments by threat actors in response to improved detection capabilities. A shift toward extortion-only attacks was observed. Some threat groups abandoned encryption activities and instead focused on data exfiltration and extortion. These attacks proceed more quickly and with reduced visibility compared to traditional ransomware incidents. In certain cases, data exfiltration activity led to detection, resulting in the abandonment of encryption efforts.
Ransomware Group Activity
The Akira ransomware group recorded the highest level of activity based on the number of incidents requiring response engagement. Qilin increased its activity during 2025 after recruiting affiliates from other ransomware operations. Lynx/Inc ranked third, followed by Clop in fourth position and RansomHub in fifth.
Law enforcement actions against the LockBit ransomware group affected its activity levels. For the first time in five years, LockBit is not among the five most active ransomware groups identified in the report.
Vendor-Related Incidents in Healthcare
Vendor-related incidents accounted for 35% of healthcare sector cases handled in 2025. These incidents were associated with some of the largest reported data breaches.
The Conduent data breach affected more than 10 million individuals. The Episource breach impacted more than 5 million individuals. A data breach involving Oracle Health (Cerner) affected a number of individuals in the millions, although a precise figure was not disclosed.
HIPAA Enforcement and Regulatory Activity
In 2025, there were announcements of 21 resolution agreements. Twelve settlements or notices of final determination carried dates within the year. Seven of those twelve cases involved alleged HIPAA violations by business associates.
The Office for Civil Rights demonstrated attention to HIPAA compliance among vendors through enforcement activity involving business associates.
BakerHostetler indicated that fewer penalties may be imposed in the current year, with a potential shift toward technical assistance. State attorneys general may increase enforcement activity by exercising authority to penalize healthcare organizations for breaches involving protected health information (PHI) of state residents.
State-level enforcement activity is expected to expand as states increase data privacy units staffing. Anticipated areas of focus include data breach investigations, data awareness practices, data minimization, protection of sensitive data, and transparency in incident investigations. Additional state privacy legislation is expected in the absence of federal data privacy legislation.