Healthcare organizations are absorbing more cyber risk than ever, and the claims data tells a more specific story than the headlines. Resilience has just released The State of Healthcare Cybersecurity: Risk Trends and Proven Controls for 2025, a new report drawing on portfolio-level analysis of healthcare cyber incidents from 2023 through the first half of 2025. The findings identify which threats are actually driving losses, where defenders are gaining ground, and which controls are measurably moving the needle on value at risk. The full report is available now—download it here.

A sector under sustained pressure

The headline numbers from 2024 set the stage. The U.S. healthcare sector saw 275 million records breached, more than double the prior year and the largest healthcare data exposure in U.S. history. Ransomware attacks against the sector climbed 32%, and a single vendor incident at Change Healthcare exposed an estimated 190 million records and disrupted care delivery nationwide.

Resilience’s portfolio data adds dimension to those headlines. Average severity of incurred losses per healthcare claim shifted meaningfully between 2023 and 2024, and early signals from 2025 suggest severity is climbing again. In the first half of the year, extortion demands in healthcare-related incidents reached as high as $4 million—costs that take on a different weight when patient care is at stake. The report unpacks the year-over-year severity trend and what it suggests about how attacks against healthcare are evolving.

Where the losses are actually coming from

The report walks through what is driving material loss inside the Resilience portfolio, and the answer is less about exotic zero-days than about the human layer. Social engineering drove 88% of material losses across the portfolio in the first half of 2025, and healthcare-specific claims followed the same pattern. Phishing, business email compromise, and vendor compromise show up repeatedly in the underlying incident data, alongside backup gaps that leave organizations exposed when ransomware lands and tracking pixel errors that quietly expose patient information.

The threat actor landscape is also more distributed than the most visible groups suggest. While BlackCat and Cl0p appeared most frequently in healthcare-related activity, the actually successful intrusions were spread more evenly across actors like Interlock, Lockbit, and Medusa. That distribution suggests healthcare defenders may be hardening against the loudest names while remaining exposed to lesser-known operators.

Five controls that are moving the needle

The most actionable section of the report identifies five controls and processes delivering the highest measurable risk reduction in healthcare environments. They are not exotic. They are not expensive. They are the kind of practices most healthcare organizations can implement without a transformational budget request, and the data shows they meaningfully reduce value at risk. The report walks through each one, why it matters specifically in healthcare, and what the portfolio data shows about its impact.

Two additional findings stand out. Immutable backups deliver stronger risk reduction in healthcare than in other industries on average, and organizations with a formal data governance committee see more than three times the risk reduction compared to peers in other sectors. These findings echo the broader argument we have been making in our work on [linked text: quantifying cyber risk for strategic business alignment]—that the highest-impact security investments are knowable, and they are often the ones that get deprioritized.

Two organizations, two outcomes

The report closes with a pair of contrasting case studies. One is a mid-sized regional health system that believed its security posture was stronger than it turned out to be, and discovered the gap the hard way during a major incident—including the discovery that clinical imaging files had been left out of its backup strategy. The other is a mid-market biotechnology firm that built a quantified, prioritized cyber risk program and was able to redirect security spending toward the controls with the highest return. The contrast is the argument: healthcare organizations have a growing body of evidence about what works, and the ones acting on it are pulling ahead of their peers.

Read the full report

If you lead security, finance, or risk at a healthcare organization, the full report is built for you. It covers the underlying claims trends, the five high-ROI controls in detail, the case studies, and a practical framework for translating cyber risk into financial terms your board will understand. Download The State of Healthcare Cybersecurity here.