Three ransomware operations, Qilin, Akira, and The Gentlemen, are responsible for a disproportionate share of attacks against healthcare organizations, and each gets in through a different door.

 

What happened

HHS HC3 threat profile identifies Qilin, also known as Agenda, as a ransomware-as-a-service operation targeting healthcare organizations and other industries worldwide. In its Qilin threat profile, it was noted that the group gains initial access through phishing and spear-phishing emails, exposed applications and interfaces such as Citrix, and remote desktop protocol access. The profile also notes that Qilin operates a data-leak site as part of its double-extortion model.

In a November 2025 StopRansomware advisory, CISA, the FBI, HHS, the Department of Defense Cyber Crime Center, and international partners said Akira had claimed approximately $244.17 million in ransomware proceeds as of late September 2025. The advisory also names healthcare and public health among the sectors Akira has notably targeted.

HHS OCR’s breach portal lists Hospital Caribbean Medical Center as a healthcare provider breach affecting 92,000 individuals. The entry, reported on April 6, 2026, describes the incident as a hacking/IT incident involving a network server. While the OCR does not attribute the breach to The Gentlemen, a report by Comparitech links it to the ransomware group.

 

Going deeper

All three run double-extortion ransomware-as-a-service operations but base their attack on differing forms of initial access. According to a joint advisory by the FBI and other federal agencies, Qilin's documented entry points are phishing emails that deliver credential-harvesting payloads, exploitation of public-facing applications, and stolen credentials against remote access services like RDP. Akira relies primarily on brute-force attacks against VPNs without multi-factor authentication, then exploits known vulnerabilities once inside; the joint federal advisory notes the group has also used stolen credentials and spear phishing.

The Gentlemen, the newest of the three, emerged in mid-2025 after a former Qilin affiliate split off following a payment dispute and entered the market with a stockpile of roughly 14,700 already-exploited FortiGate devices, meaning many of its attacks start from existing access rather than a fresh intrusion. Each group's preferred entry point points to a different control gap i.e., email filtering for Qilin, multifactor authentication (MFA) enforcement and VPN patching for Akira, edge-device exposure for The Gentlemen.

 

What was said

A peer-reviewed analysis of ransomware-attacked US hospitals from 2016 to 2021 found that "nearly 75% of ransomware attacks affected patient care in some way," with documented disruptions including ambulance diversion, electronic system downtime, and delays in scheduled care. The figure predates Qilin, Akira, and The Gentlemen as named threats, but the operational pattern it describes, encryption and exfiltration translating directly into care delays, is the same pattern current incident reports continue to document.

 

In the know

Ransomware has become the dominant force behind the most damaging healthcare data breaches, even though it represents a minority of breach events. A cross-sectional study of HIPAA covered entity breach data from 2010 to 2024, published in JAMA Network Open, found that while ransomware accounted for only 11% of total healthcare data breaches in 2024, it was responsible for 69% of all patient records compromised that year.

"Ransomware has become the most disruptive force in health care cybersecurity," said John (Xuefeng) Jiang, an accounting and information systems professor at Michigan State University. The study found that hacking or IT incidents, the category ransomware falls under, rose from 4% of healthcare breaches in 2010 to 81% by 2024. Qilin, Akira, and The Gentlemen each fall into that category, and their current activity levels are consistent with a threat that has shifted from peripheral to central in how healthcare data gets exposed.

 

The big picture

Organizations relying on Microsoft 365 or Google Workspace default filtering, unpatched edge devices, or VPNs without enforced MFA each map to a documented entry point used by one of these three groups today. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, and attacks designed to bypass native email defenses rose 47% over the same period, a gap that matters specifically for Qilin's phishing-led access pattern.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

Does paying the ransom resolve a HIPAA compliance issue?

Paying a ransom may restore data access, but it does not eliminate the underlying breach.

 

Is encrypted email enough to stop these ransomware groups?

No. Email encryption protects the contents of a message in transit, but Qilin's documented access method is phishing that harvests credentials, not interception of email content.

 

What single step would most reduce exposure to all three groups at once?

There is not one, because the groups use different entry points.