FBI names healthcare the most targeted sector for ransomware in 2025

Healthcare and public health logged more ransomware attacks and data breaches than any other US infrastructure sector last year, according to the FBI's annual Internet Crime Report.

What happened

Healthcare and public health ranked as the top targeted sector for cyberthreats across all 16 US critical infrastructure sectors in 2025, recording 460 ransomware attacks and 182 data breaches for a total of 642 cyber events. According to the FBI Internet Crime Complaint Center 2025 Annual Report, financial services was the next highest sector with 447 total cyber events. The IC3 received a record 1,008,597 complaints in 2025, up from 859,532 in 2024, averaging nearly 3,000 per day. Total reported cybercrime losses reached $20.9 billion, a 26% increase from $16.6 billion the year prior. Ransomware-specific losses reported to the IC3 totaled $32.3 million, though the FBI acknowledged that figure excludes lost business, operational downtime, wages, equipment costs, and third-party remediation, meaning actual losses are substantially higher. The five most reported ransomware variants in 2025 were Akira, Qilin, INC Ransom, BianLian, and Play.

Going deeper

According to CyberScoop, the IC3 identified 63 new ransomware variants in 2025, averaging 5.25 new variants per month, with the top ten accounting for 56% of all reported ransomware incidents. The report documented that attackers concentrate on sectors with low tolerance for operational downtime, reasoning that the pressure created by disruption increases the likelihood of ransom payment. Healthcare's combination of digitally dependent care delivery, patient safety obligations, and round-the-clock operational requirements places it at the top of that target profile. Business email compromise (BEC) continued as the most financially damaging enterprise-targeted cybercrime, generating $3 billion in reported losses in 2025 alone. For the first time, the IC3 annual report formally documented the growing use of AI by cybercriminals to generate convincing phishing emails, synthetic video content, and voice cloning at scale.

What was said

John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, said in a statement published by the AHA: "This report quantifies what we already knew anecdotally about the health care sector being the most targeted by ransomware attacks. The vast majority are perpetrated by foreign ransomware gangs, primarily Russian-speaking groups, which specifically target health care, hoping for a big payout. They know these attacks cause disruptions and delays to digitally dependent health care delivery, posing a risk to patient and community safety, thereby increasing the exigency and pressure for a potentially large ransom payment. These despicable acts are, in fact, threat-to-life crimes and remind us to do what we can on defense and prepare for clinical continuity, not if, but when an attack strikes."

In the know

The FBI's 2025 IC3 report arrived against a backdrop of landmark healthcare ransomware incidents that played out over the course of the year. The Interlock group's attack on Kettering Health in May 2025 ultimately affected 1.7 million individuals and triggered 44 patient care lawsuits. The Qilin group's attack on Covenant Health in Maine affected 478,000 patients and contributed directly to Maine's LD 2103 hospital cybersecurity legislation. Ransomware attacks on healthcare organizations have surged 264% since 2018, according to the Office for Civil Rights. The IC3 ransomware complaint volume itself rose from 2,825 in 2023 to 3,156 in 2024 to 3,611 in 2025, a consistent upward trajectory across three consecutive years.

The big picture

The FBI's finding that healthcare topped all 16 critical infrastructure sectors for cyber events in 2025 provides federal confirmation for what Paubox has tracked in HHS breach data throughout the year. According to Paubox's 2026 Healthcare Email Security Report, 170 email-related breaches were reported to HHS in 2025, exposing more than 2.5 million individuals, with phishing-driven mailbox takeovers alone accounting for 630,000 of those exposures. The average cost of a healthcare data breach stands at $9.8 million according to IBM, making healthcare's financial exposure from cybercrime far greater than any ransom figure suggests. Healthcare organizations that treat ransomware as a low-probability risk because they have not yet been attacked operate under a false assumption that the FBI's data directly contradicts: with 460 ransomware attacks recorded against the sector in a single year, across a defined universe of providers, the question of whether an organization will face an attempt is no longer conditional.

FAQs

Why does the FBI's reported ransomware loss figure of $32 million appear low, given the scale of attacks on healthcare?

The IC3 figure captures only what victims voluntarily report through the IC3 portal and excludes the largest cost categories: operational downtime, lost revenue, equipment replacement, forensics, legal fees, and regulatory penalties. A single ransomware attack that takes a hospital offline for three weeks generates losses that can exceed the reported national aggregate on its own.

What makes healthcare a more attractive ransomware target than other critical sectors?

Healthcare organizations cannot delay care delivery the way other sectors can delay production or services. Disruptions create immediate pressure on patient safety, which attackers calculate will accelerate ransom negotiation and payment. Healthcare records also carry some of the highest black-market value of any stolen data due to their combination of personal, financial, and clinical details.

What is BEC, and why does it pose a particular risk to healthcare organizations?

Business email compromise involves attackers impersonating executives, vendors, or internal staff to redirect payments or extract sensitive information. Healthcare organizations process high volumes of vendor payments, insurance transactions, and billing communications, making them attractive targets. BEC generated $3 billion in reported losses across all sectors in 2025, with healthcare's complex vendor ecosystems providing multiple entry points.

What does the FBI mean when it says attackers target sectors with a low tolerance for operational downtime?

Ransomware operators select targets where encrypting systems creates the most immediate pressure to pay. Hospitals cannot operate on paper for weeks without endangering patients, which means the cost of not paying the ransom can be framed as a patient safety risk rather than simply a financial one. Attackers exploit that framing deliberately.

How should healthcare IT leaders use this report in conversations with leadership?

The FBI's sectoral ranking provides independent federal validation that healthcare faces a higher volume of ransomware and breach events than any other critical infrastructure sector. IT and compliance leaders can use the report to support budget requests for incident response planning, network segmentation, and email security controls by anchoring the risk in documented federal data rather than internal projections.