Table of Contents
Healthcare Remains One of the Most Highly Targeted Industries
CyberMaxx recently released the Q1 2025 Ransomware Research Report. This quarter produced the highest number of recorded attacks so far. Amongst the findings, our researchers discovered that Healthcare facilities remained some of the most highly targeted, likely because they are left vulnerable due to the potential life-or-death consequences of operational disruptions.
Operational downtime at a healthcare facility can be devastating, putting patient safety, critical services, and sensitive data at immediate risk. When systems go offline, it can delay urgent care, disrupt access to medical records, and halt life-saving procedures—making every minute count.
Threat actors know this. That’s why healthcare is a prime target for ransomware attacks. Cybercriminals exploit the urgency and potential harm caused by downtime, believing that the high stakes will pressure organizations into paying the ransom quickly to restore operations.
By the Numbers
Of the over 400 organizations CyberMaxx protects, 75 are healthcare facilities. That equates to upwards of 500K endpoints across hospitals, doctors’ offices, dentists, and more. During this past quarter, there have been a total of 2,461 ransomware and data extortion attacks. Of those, 127 took place in a healthcare organization. 68 attacks were based in the United States, totaling 54% of the healthcare related attacks.
A Common Cause of Healthcare Data Breaches
The Oracle Health Data Breach is one example of a recent compromise. Oracle Health became aware of the breach around February 20, 2025, initiating a comprehensive investigation and response process. In early 2025, Oracle Health, formerly known as Cerner, suffered a significant data breach affecting multiple U.S. hospitals and healthcare providers. The breach occurred due to unauthorized access to legacy data migration servers, using compromised customer credentials. This unauthorized access reportedly began sometime after January 22, 2025, with the attackers exfiltrating patient data to an external location. Notification of affected clients began in March, with Oracle Health striving to provide transparency on the extent of the breach.
The stolen data reportedly included sensitive patient information from electronic health records, though the precise scope and amount of compromised data remain unclear. The use of compromised credentials to access legacy systems underscores a common vulnerability within the healthcare sector, where outdated or insufficiently protected systems remain integrated with modern networks.
An individual identifying themselves as “Andrew” has attempted to extort the affected healthcare providers, demanding payments in exchange for not releasing the stolen data. Notably, this threat actor does not appear to be affiliated with any known ransomware group, suggesting the possibility of either a lone actor or a new entity entering the scene.
The motivations and capabilities of “Andrew” are still under investigation, but the lack of affiliation with a prominent ransomware group could complicate efforts to track and apprehend the individual. The healthcare sector is still particularly vulnerable to such attacks, given the sensitive nature of patient data and the potential harm that could result from its unauthorized disclosure.
A Case for Updating Legacy Systems
This breach highlights the ongoing challenge of securing legacy systems and ensuring that customer credentials are adequately protected. As Oracle Health continues to investigate and mitigate the impacts of the breach, healthcare organizations must remain vigilant and proactive in bolstering their own cybersecurity measures.
The incident also serves as a reminder that attackers are increasingly targeting healthcare institutions due to their critical role in society and the high value of the data they possess. Ensuring robust protection of sensitive data should remain a top priority for all entities operating in the healthcare sector.
Securing Your Healthcare Data
Healthcare organizations must prioritize proactive defense, real-time detection, and incident response—because even a short disruption can have life-threatening consequences, and attackers are counting on that pressure to profit.
Don’t miss this session hosted by CyberMaxx and HS-ISAC, full of stories from cybersecurity experts and healthcare customers, validating the real-world impact of cyber threats happening daily, targeting medical and dental organizations of all sizes. Hear all the ways you can take steps to protect your organization from the rising threats. Learn more here: Improving Healthcare Cybersecurity So Patient Data Doesn’t End Up on the Dark Web | CyberMaxx
