Verizon: Healthcare Sector Facing Sustained, Multi-vector Attacks
Verizon has published its 2026 Data Breach Investigations Report, which shows that the healthcare sector continues to be targeted by cybercriminal groups. The sector is having to contend with sustained multi-vector attacks, including ransomware, unpatched vulnerabilities, and human error. Regardless of the cause, the attacks are putting patient privacy, safety, and care at risk.
Verizon tracked 1,492 healthcare incidents for its 2026 report, including 1,438 confirmed data disclosures, a majority of which were due to ransomware-driven system intrusions achieved through multiple attack vectors, including the exploitation of vulnerabilities (20%), phishing attacks (14%), stolen credentials (11%), and employee errors (11%). Threat actors are being given far too big a window of opportunity to exploit known vulnerabilities. Verizon found that in 2025, only 26% of critical vulnerabilities were fully remediated, with a median time for resolution stretching to 43 days. In healthcare, where complex legacy systems are the norm, the window of opportunity is greater, giving threat actors a wide attack window.
While external actors accounted for the majority of incidents, insider breaches remain common in healthcare. Internal actors were behind 19% of breaches. As Verizon notes, human error continues to be a chronic source of breaches. The human element was involved in 54% of incidents, including misconfigurations, misdirected communications, the loss/theft of unencrypted devices, and poor cyber hygiene.
The most common human-related cause of healthcare data incidents was misdelivery, which accounted for around 40% of incidents, followed by loss incidents at around 25%, and misconfigurations at around 20%. While greater investment in cybersecurity will help to address the 81% of breaches due to external actors, security awareness training plays an important part in preventing data breaches. Employees need to be made aware of security fundamentals and be taught the importance of practicing good cyber hygiene. Social engineering was the third main cause of healthcare breaches in 2025, the majority of which were due to phishing, followed by pretexting – these attack techniques need to be covered in depth in training courses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Around 32% of healthcare data breaches involved third parties, so applying the security fundamentals internally is only part of the solution. Healthcare organizations must also ensure that they bake security into their contracts with business associates and suppliers. The proposed update to the HIPAA Security Rule, a final rule for which is expected at some point this year, will help to reduce the number of third-party breaches through more prescriptive security requirements for business associates and requiring greater vendor oversight by covered entities to ensure that security measures are implemented.
Each year, the number of real-world security incidents analyzed by Verizon continues to increase, and this year was no exception. The report covers more than 31,000 incidents, including 22,000 confirmed data breaches. GenAI tools are increasingly used by threat actors to accelerate and increase the volume of attacks. GenAI is being used at various stages of the process, including choosing targets, researching vulnerabilities, developing malware, gaining a foothold in networks, and making their campaigns more efficient and effective.
Overall, across all sectors, system intrusions continue to be the top breach pattern, with ransomware the primary driver. Last year, stolen credentials were the top entry point, but this year, this long-standing common attack vector has been overtaken by vulnerability exploitation. This is the first time in Verizon’s 19 years of producing its DBIR reports that vulnerability exploitation has topped the list. Verizon attributes this change to the use of AI by attackers, which has helped them accelerate the time to exploit known vulnerabilities. Defenders now have far less time to remediate vulnerabilities. While the time from disclosure to exploitation used to be measured in months, vulnerabilities are now being exploited in hours.
Ransomware continues to be a key driver of intrusions. Ransomware-related intrusions grew in volume again and now account for 48% of all breaches, up from 44% last year, although the percentage of victims paying a ransom is decreasing, as is the median ransom payment. In the past year, 69% of victims chose not to pay the ransom, and the median ransom payment fell from $150,000 to $139,875.
Awareness about email phishing has grown, making this attack technique less successful. Threat actors have responded by pivoting to mobile-centric social engineering techniques such as text messages (smishing) and voice phishing (vishing), where the success rate is 40% higher than traditional email phishing. Verizon warns that the easy availability of GenAI tools is creating a significant data security risk. Employees are increasingly using genAI tools without the knowledge or approval of the IT department. The massive increase in shadow GenAI use creates a significant risk of data exfiltration through unapproved platforms. This is particularly concerning for regulated sectors such as healthcare.
“While the velocity of cyber threats—driven by AI and faster vulnerability exploitation—is increasing, the foundational principles of security and strong risk management remain the most effective defense,” said Daniel Lawson, SVP Global Solutions, Verizon Business. “The DBIR reinforces that these fundamentals still hold as organizations strive for resilience.”
