Average ransom demands surge for healthcare ransomware attacks in 2026

Comparitech's Q1 2026 data shows ransomware groups are hitting healthcare less often but demanding exponentially more when they do.

What happened

Healthcare organizations recorded 120 ransomware attacks in Q1 2026, a 14 percent decline from Q4 2025, according to Comparitech's quarterly ransomware analysis. Of those, 22 were confirmed, and 98 remained unconfirmed claims on ransomware group leak sites. Despite the drop in volume, the average ransom demand across confirmed healthcare incidents surged to $16.9 million, up from $577,800 the previous quarter. The largest single demand reached $100 million, issued by the NetRunner group against Nippon Medical School Musashi Kosugi Hospital in Japan, though no payment was made. Across confirmed provider attacks, approximately 237,747 records were breached, and ransomware groups claimed to have exfiltrated around 13 terabytes of data from healthcare providers alone.

Going deeper

Qilin was the most active group targeting healthcare providers in Q1 2026, accounting for 23 claimed attacks and four confirmed incidents spanning the US and Germany. The Gentlemen followed with 10 claims and three confirmed attacks, targeting organizations in Brazil, New Zealand, and Puerto Rico. LockBit accounted for three confirmed provider attacks, including organizations in Italy and the US. Among healthcare business companies operating in the healthcare supply chain rather than direct care providers, Inc. and NightSpire led with eight claims each. Comparitech noted a meaningful split in targeting strategy: groups like Qilin focus heavily on direct care providers, while INC appears to concentrate more on healthcare businesses. Ransomware groups claimed to have stolen more than twice as much data from healthcare businesses as from providers, 29 terabytes versus 13, despite providers facing higher attack volume. The median ransom demand across the quarter stood at $300,000, suggesting that while a small number of high-value demands drove the average up, most attacks still target organizations at a more typical extortion level.

What was said

Rebecca Moody, Comparitech's head of data research, stated in the report that "for the last two quarters, attacks have been consistently high with hackers focusing on healthcare providers and businesses operating within the healthcare industry. This means healthcare providers not only have to safeguard their own systems from attacks but also need to ensure the third parties they're using are reaching the same standards." On the divergence in group targeting, Moody added that "the focus on certain sectors by certain groups could be due to the success of certain campaigns within a particular industry, or an attempt to infiltrate a sector that isn't as saturated or high profile when it comes to ransomware."

In the know

The shift toward higher ransom demands with lower attack frequency mirrors a pattern observed across all sectors. Ransomware groups pre-qualify targets based on revenue, insurance coverage, and operational dependency before deploying an attack, reserving their greatest demands for organizations where downtime pressure is highest. The $100 million demand against Nippon Medical School Musashi Kosugi Hospital, while ultimately unpaid, represents the upper end of a documented escalation in demand sizing that researchers have tracked since late 2024. According to the FBI's 2025 Internet Crime Report, healthcare was the most targeted critical infrastructure sector for the full year, recording 460 ransomware attacks, making Q1 2026's 120 attacks roughly consistent with that annual run rate.

The big picture

A lower attack count accompanied by a jump in average demand from $577,800 to $16.9 million in a single quarter indicates a strategic adjustment rather than a retreat. Groups are being more selective, targeting organizations where the combination of data sensitivity, operational disruption, and ransom capacity justifies a larger ask. For healthcare IT and compliance leaders, the volume decline offers no reliable signal of reduced risk. According to Paubox's 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264 percent since 2018, and the average breach now costs $9.8 million, according to IBM figures that put Q1 2026's average demand of $16.9 million well above what most organizations have modeled as their worst-case scenario. The third-party dimension compounds this: with ransomware groups claiming more data stolen from healthcare businesses than from direct providers, vendor risk management sits at the center of the exposure picture heading into Q2 2026.

FAQs

What is the difference between a confirmed and an unconfirmed ransomware attack?

A confirmed attack is one where the victim organization has publicly acknowledged the incident, typically through a breach notice, regulatory filing, or official statement. An unconfirmed claim exists only on a ransomware group's leak site and has not been verified by the victim or independent reporting.

Why are ransomware groups claiming more data from healthcare businesses than from direct providers?

Healthcare businesses such as pharmaceutical companies, medical device manufacturers, revenue cycle vendors, and similar organizations often hold large volumes of consolidated data from multiple covered entities. A single successful attack on a vendor can yield more data than attacking individual hospitals, which may explain both the higher data volumes claimed and the growing interest from groups like INC in that segment.

What does the $100 million demand against a Japanese hospital indicate about group strategy?

Demands at that level are typically not expected to be paid in full but serve as an opening position in a negotiation. They also signal that the group believes the target has either the financial capacity or the reputational exposure to justify a significant payment. Unpaid demands are still published publicly, which serves the group's broader extortion model by demonstrating reach and credibility to future targets.

How should healthcare organizations interpret the Q1 volume decline?

A 14 percent quarterly decline should not be read as a sustained trend without additional context. Attack volume fluctuates quarter to quarter based on group activity, law enforcement disruptions, and seasonal targeting patterns. The more meaningful signal from Q1 2026 is the demand escalation, which suggests the organizations that were hit faced substantially greater financial exposure than those hit in prior quarters.