The First Quarter 2025 Health-ISAC Heartbeat report reveals a continuous surge in cybersecurity incidents and data breaches impacting the health sector. Although ransomware attacks slightly decreased in the third quarter of 2024, they have risen again in the fourth quarter and continued into 2025. VPN provider vulnerabilities and compromised credentials remain persistent threats to organizations.
Health-ISAC issued 220 Targeted Alerts to specific member organizations, alerting them about potentially vulnerable infrastructure and actively exploited vulnerabilities. In the first quarter of 2025, the health sector reported 158 ransomware attacks, marking a slight increase from the 154 attacks in the previous quarter. This increase highlights the ongoing and expanding threat landscape, as ransomware attacks have been trending upward since the third quarter of 2024, which recorded 109 attacks.
Of the total 2,429 ransomware attacks reported across all sectors in Q1 2025, the health sector accounted for approximately 6.5%. Since 2021, Health-ISAC has tracked 23,606 breaches across all sectors, with 1,370 of those involving health organizations. These figures underscore the growing cyber threat to the global health sector, with most ransomware incidents in Q1 2025 targeting organizations in the Americas (80.6%), followed by EMEA (11.5%) and APAC (7.9%).
The report also highlighted specific cybersecurity issues, including vulnerabilities in BeyondTrust and Next.js systems. On March 28, 2025, Health-ISAC, in collaboration with intelligence partners, identified vulnerable BeyondTrust Privileged Remote Access (PRA) or Remote Support (RS) versions within several member organizations. As a result, Health-ISAC issued 62 Targeted Alerts to prompt investigations and patching of vulnerable systems. Additionally, Health-ISAC issued 33 alerts for potentially vulnerable Next.js versions, which affect web applications used in health services such as patient portals and administrative dashboards.
Health-ISAC also reported on the increasing use of underground forums where threat actors advertise stolen data or access to systems. In one case, a hacker using the handle MIYAK000 offered compromised VPN access to a U.S.-based surgery center and a medical revenue cycle management organization on BreachForums.
A significant player in this trend is INC Ransomware (also known as GOLD IONIC), a ransomware-as-a-service group active since at least July 2023. INC Ransomware has been targeting high-value industries, with a focus on the healthcare sector. The group uses advanced tactics to exploit vulnerabilities in legacy systems and maximize financial extortion, which often results in operational disruption, data breaches, and substantial financial losses.
Health-ISAC emphasized the need for enhanced cybersecurity practices in the health sector. Recommendations include promptly patching vulnerable devices, maintaining updated data backups, and raising employee awareness through continuous security training. Network segmentation, phishing-resistant multi-factor authentication, endpoint protection, and regular security audits are also vital measures. Additionally, Health-ISAC encourages organizations to implement detailed incident response plans and monitor for suspicious activities to ensure operational continuity.
A recent report by Forescout Technologies also revealed an increase in the frequency and impact of data breaches across all industries, with healthcare organizations being particularly vulnerable. Nearly half of all breaches affecting more than 5,000 individuals in 2024 targeted the healthcare sector.
