Sophos, a global player of innovative security solutions for defeating cyberattacks, released findings from its State of Ransomware in Healthcare report.
It found that the sector has been making strides in tackling the threat of ransomware:
- Recovery times sped up: The percentage of organizations recovered within a week more than doubled from 21% in 2024 to 58% in 2025.
- Ransom payments and recovery costs are down: Between this year and last, the median ransom demand for healthcare providers declined by 91% to just $345,000, and recovery costs dropped to their lowest level in three years.
- Data encryption is declining: Data encryption fell to the lowest level in five years to just 34%.
- Fewer healthcare organizations are paying the ransom: The rate of healthcare organizations paying the ransom was nearly cut in half, and for those that did pay the ransom, over half paid less than the original demand. In 2025, just 36% of healthcare providers paid the ransom—down from 61% in 2022
However, ransomware is still a threat to the industry, presenting challenges for data recovery and frontline workers:
- Impact of healthcare staffing shortage: Multiple factors contribute to healthcare providers falling victim to ransomware, with the most common (42%) being a lack of people/capacity (i.e., an insufficient number of cybersecurity expertsmonitoring systems at the time of the attack), reflecting the impacts of the chronic healthcare staffing shortage.
- Extortion on the rise: The percentage of providers that had their data extorted and not encrypted tripled since 2023 – the highest rate reported across sectors.
- The human impact of ransomware is real: 37% of healthcare respondents mentioned increased anxiety or stress about future attacks, andnearly a quarter experienced staff absence due to this stress.
What Sophos is seeing in healthcare
Over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and found that 88 distinct threat groups targeted healthcare organizations. The most prominent groups targeting healthcare organizations based on leak site observations are: GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom) and GOLD HUBBARD (RansomHub). Sophos Incident Response and MDR cases reveal vulnerability exploitation as a primary vector in addition to the following: phishing, social engineering, brute force, drive by downloads, stolen credentials.
“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences. It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal,” said Alexandra Rose, Director, Sophos Counter Threat Unit (CTU).
