A new report identifies healthcare as a top-risk sector for data breaches and ransomware, with human error involved in most breaches.
Cyberattacks in the healthcare sector are increasingly taking the form of systemic events, according to the Cowbell 2026 Claims Report. These large-scale events, such as those involving Change Healthcare and TriZetto, demonstrate how vulnerabilities in a single vendor can impact thousands of organizations simultaneously.
The report, which analyzes 18 months of incident data, identifies healthcare as among the higher-risk sectors. Critical patient care systems create operational urgency that threat actors exploit to increase ransom demands. These pressures, combined with Health Insurance Portability and Accountability Act requirements, often result in longer recovery periods for healthcare organizations compared to other industries.
Primary Incident Types Driving Claims
Cowbell’s data reveals three primary incident types driving claim frequency: data breaches (33.5%), cybercrime (31.8%), and extortion events (18.3%). Data breaches typically involve unauthorized access to sensitive information, often through stolen credentials or system vulnerabilities.
Cybercrime incidents, including business email compromise (BEC), exploit human trust through impersonation and social engineering to fraudulently obtain funds. Extortion events, such as ransomware, threaten operational stability by encrypting data and demanding payment. The report notes that these attacks are evolving into “double-extortion” schemes where hackers also threaten to leak sensitive patient information.
The Role of Human Error and Artificial Intelligence
The human element remains a significant vulnerability, with 74% to 95% of breaches involving human error. Phishing and spoofing are the most prevalent entry points for threat actors. In 2025, there were approximately 3.8 million phishing attacks globally.
Threat actors are increasingly using artificial intelligence to refine scam tactics, making fraudulent messages more convincing and harder to detect. Variants such as smishing (text messages) and vishing (phone calls) expand these risks across multiple channels to bypass security protocols.
Threat Actor Focus and Ransomware Trends
While ransomware remains a consistent threat, representing 19% of claims in Cowbell’s data from 2022 and 2025, average ransom payments have decreased by approximately 44%. This decline reflects more effective claims handling and stronger negotiation strategies. Cowbell reports reducing ransom amounts by an average of 65% through negotiations.
Identified threat actor groups include:
- Akira (38.8%):Â Uses double extortion to target small and mid-sized enterprises via virtual private network and remote access exploitation.
- Qilin (14.2%):Â A ransomware as a service group that uses data exfiltration and encryption against high-value targets.
- RansomHub (3.7%):Â Enables affiliates to conduct fast-moving, opportunistic attacks.
Predictions for 2026
The report anticipates several trends for the remainder of 2026, including the emergence of younger threat actors driven by financial gain. The report notes that organizations may face continued targeting due to outdated security controls, such as legacy systems and weak authentication.
Additionally, litigation exposure is expected to grow, with an increase in third-party claims and class actions following inadequate security disclosures. Business interruption and contingent business interruption remain primary drivers of insurance losses due to supply chain dependencies and extended downtime.
To mitigate these risks, the report suggests implementing multi-layered defenses, including multi-factor authentication, employee cybersecurity training, and rapid threat detection capabilities.
ID 412919837 © PhotoPawel | Dreamstime.com
