HiveForce Labs · Threat Advisory · Attack Report
A comprehensive threat analysis of U.S. healthcare from January 2025 to June 2026 — tracking 35 disclosed breaches, 37 exploited CVEs, and ~233 million exposed records. Ransomware crews including Interlock, Medusa, and Anubis industrialised double-extortion across hospitals, dialysis chains, and blood banks while nation-state actor Lazarus adopted Medusa RaaS. Change Healthcare alone exposed 190 million individuals — the largest health-data breach ever recorded.
CVE-2024-55591Section 01
The U.S. healthcare sector remained the most relentlessly targeted slice of American critical infrastructure across the reporting window. The Change Healthcare breach (ALPHV/BlackCat) produced the largest health-data breach on record — 190 million individuals' PHI and ~6 TB of data exfiltrated — while Interlock, Medusa, and Anubis industrialised double-extortion against hospitals, dialysis chains, and blood banks. Exploitation gravitated to the exposed perimeter: VPNs, firewalls, and gateways accounted for the largest share of weaponised CVEs (12 of 37), with medical IoT and supply-chain compromises widening the blast radius. Critically, 78% of exploited CVEs were already in CISA's KEV catalogue and 92% had a patch available — the damage stems from patch lag, not novel zero-days.
UnitedHealth / Change Healthcare: ~$22M ransom paid; total breach impact escalated past ~$2.45B.
Medusa (Spearwing): Ransom demands of $100,000–$15,000,000 per victim.
Section 02
U.S. healthcare was compromised through two recurring routes: its exposed network perimeter and its web of third-party partners. The overwhelming majority of disclosed damage came from ransomware crews running double-extortion playbooks and from breaches at the vendors, clearinghouses, and business associates that healthcare providers depend on.
Change Healthcare: The Defining Incident
ALPHV/BlackCat struck UnitedHealth's claims-clearing subsidiary, exfiltrating 190M individuals' PHI and ~6 TB of data — the largest healthcare breach on record. A ~$22M ransom was paid; RansomHub re-extorted the same data. Total impact exceeded $2.45B. Because Change Healthcare processes a large share of U.S. medical claims, a single intrusion disrupted pharmacy and provider payments nationwide.
Interlock, Medusa & Anubis: Industrial-Scale Ransomware
Interlock — 5 appearances — hit DaVita (~2.7M records, ~1.5 TB stolen), Kettering Health (system-wide outage, 14 centers), and Brockton and Legacy community health orgs. Medusa (Spearwing) claimed 40+ victims in early 2025 with demands of $100K–$15M. Anubis combined encryption with file destruction, making data recovery impossible even after ransom payment.
Supply-Chain Blast Radius
BPO provider Conduent disclosed 15.5M (TX) and 10.5M (OR) individuals affected. Episource lost 5.4M records including downstream client Sharp Healthcare. TriZetto (Cognizant) exposed 3.4M; Oracle Health saw EHR data stolen from multiple hospitals. Ascension was breached via Black Basta (~5.6M) and a former business partner — illustrating how risk extends beyond an org's own walls.
Perimeter & Credential Theft
Internet-facing Fortinet, Ivanti, Citrix, and Palo Alto appliances were the dominant initial-access vector. CVE-2024-55591 (Fortinet auth-bypass) was the single most-referenced CVE. RMM tools (SimpleHelp, AnyDesk, MeshAgent) were repeatedly abused for hands-on-keyboard access. Information stealers — Lumma, StealC, Rhadamanthys — accounted for 24% of malware and harvested the credentials seeding later intrusions.
Medical IoT & Unmanaged Devices
7 of 37 CVEs targeted cameras, DVRs, and embedded firmware. CISA flagged a Contec CMS8000 patient monitor backdoor beaconing to a China-linked IP. Hikvision devices (4 CVEs) were among the most-exploited products — a perimeter problem compounded by unmanaged devices sitting deep in clinical environments.
Emerging Signals: Nation-State & SEC Materiality
Lazarus Group's adoption of Medusa RaaS marked a convergence of nation-state tradecraft with criminal ransomware infrastructure. The FBI warned of social-engineering campaigns impersonating fraud investigators. West Pharmaceutical's breach was declared "material" in an SEC filing. Sinobi went from unknown to 54 claimed healthcare victims in early 2026.
CVE-2024-55591Change Healthcare
ALPHV/BlackCat — 190M records, largest healthcare breach on record.
OneBlood
Ransomware disrupts major blood-supply network; donation logistics offline.
Interlock Emerges
Systematic targeting of U.S. healthcare providers begins (Brockton, Legacy).
Contec CMS8000
CISA flags embedded firmware backdoor in patient monitors beaconing to China-linked IP.
DaVita
Interlock exfiltrates ~2.7M records / ~1.5 TB from the dialysis giant.
Ascension
Black Basta intrusion; ~5.6M individuals, clinical disruption across hospitals.
Conduent
BPO breach cascades — 10.5M+ (OR) / 15.5M+ (TX) individuals affected.
Lazarus × Medusa
Nation-state actor adopts Medusa RaaS against U.S. healthcare & non-profits.
West Pharmaceutical
Data theft + encryption; declared 'material' in an SEC filing.
78% of weaponised CVEs are in CISA's KEV catalogue and 92% have a patch available — most damage stems from patch lag. The 16 zero-days cluster in edge appliances (Fortinet, Ivanti, Citrix, Palo Alto), underscoring why perimeter devices demand the fastest patch SLAs.
| CVE ID | Vulnerability | Product | 0-Day | KEV | Patch |
|---|---|---|---|---|---|
| CVE-2026-22769 | Hard-coded Credentials | Dell RecoverPoint VMs | ✓ | ✓ | ✓ |
| CVE-2019-0604 | Remote Code Execution | Microsoft SharePoint | – | ✓ | ✓ |
| CVE-2022-42475 | Heap-Based Buffer Overflow | Fortinet FortiOS | ✓ | ✓ | ✓ |
| CVE-2024-23113 | Format String Vulnerability | Fortinet Multiple Products | – | ✓ | ✓ |
| CVE-2024-55591 | Authorization Bypass | FortiOS / FortiProxy | ✓ | ✓ | ✓ |
| CVE-2026-24858 | Auth Bypass via Alternate Path | Fortinet Multiple Products | ✓ | ✓ | ✓ |
| CVE-2024-21887 | Command Injection | Ivanti Connect Secure / Policy Secure | ✓ | ✓ | ✓ |
| CVE-2025-0282 | Stack-Based Buffer Overflow | Ivanti Connect Secure / Policy Secure / ZTA | ✓ | ✓ | ✓ |
| CVE-2026-1281 | Code Injection | Ivanti EPMM | ✓ | ✓ | ✓ |
| CVE-2025-5777 | Out-of-Bounds Read (CitrixBleed 2) | Citrix NetScaler Gateway | ✓ | ✓ | ✓ |
| CVE-2024-24919 | Information Disclosure | Check Point Security Gateway | ✓ | ✓ | ✓ |
| CVE-2024-3400 | Command Injection | Palo Alto PAN-OS | ✓ | ✓ | ✓ |
| CVE-2026-1731 | OS Command Injection | BeyondTrust RS / PRA | – | ✓ | ✓ |
| CVE-2017-7921 | Improper Authentication | Hikvision Multiple Products | ✓ | ✓ | ✓ |
| CVE-2021-36260 | Improper Input Validation | Hikvision Multiple Products | – | ✓ | ✓ |
| CVE-2023-6895 | Command Injection | Hikvision Intercom System | – | – | ✓ |
| CVE-2025-34067 | Remote Command Execution | Hikvision ISMP | – | – | ✓ |
| CVE-2021-33044 | Authentication Bypass | Dahua IP Camera Firmware | – | ✓ | ✓ |
| CVE-2024-3721 | OS Command Injection | TBK DVR-4104 / DVR-4216 | – | – | – |
| CVE-2026-20131 | Deserialization of Untrusted Data | Cisco Secure FMC | ✓ | ✓ | ✓ |
| CVE-2025-31324 | Unrestricted File Upload | SAP NetWeaver | ✓ | ✓ | ✓ |
| CVE-2025-61882 | Unspecified RCE | Oracle E-Business Suite | ✓ | ✓ | ✓ |
| CVE-2021-35587 | Unspecified Vulnerability | Oracle Fusion Middleware / Access Manager | – | ✓ | ✓ |
| CVE-2024-37085 | Authentication Bypass | VMware ESXi | – | ✓ | ✓ |
| CVE-2023-27532 | Missing Authentication | Veeam Backup & Replication Cloud Connect | – | ✓ | ✓ |
| CVE-2025-34291 | Origin Validation Error | Langflow | – | ✓ | ✓ |
| CVE-2026-33017 | Code Injection | Langflow | – | ✓ | ✓ |
| CVE-2025-29927 | Middleware Bypass | Next.js | – | – | ✓ |
| CVE-2025-55182 | Remote Code Execution | React Server Components (Meta) | – | ✓ | ✓ |
| CVE-2025-54068 | Code Injection | Laravel Livewire | – | ✓ | ✓ |
| CVE-2025-68613 | Dynamically-Managed Code Control | n8n | – | ✓ | ✓ |
| CVE-2025-52691 | Unrestricted File Upload | SmarterTools SmarterMail | – | ✓ | ✓ |
| CVE-2026-33634 | Embedded Malicious Code | Aquasecurity Trivy / setup-trivy | – | ✓ | ✓ |
| CVE-2025-9316 | Unauthenticated SessionID Generation | N-able N-central | – | – | ✓ |
| CVE-2017-17215 | Remote Code Execution | Huawei HG532 | ✓ | – | – |
| CVE-2025-7771 | Privilege Escalation | TechPowerUp ThrottleStop.sys | ✓ | – | – |
| CVE-2026-45321 | Embedded Malicious Code | TanStack Router npm Packages | – | – | ✓ |
Section 03
Prioritise Edge & Perimeter Patching
12 of 37 CVEs hit VPNs, firewalls, and gateways (Fortinet, Ivanti, Citrix, Palo Alto). Patch internet-facing appliances on an emergency cadence and retire EOL devices. CVE-2024-55591 is the most-referenced entry point into healthcare networks.
Govern RMM and Third-Party Access
Breaches trace repeatedly to business associates and RMM tooling (SimpleHelp, AnyDesk, MeshAgent). Inventory RMM tools, enforce allow-listing and phishing-resistant MFA, and contractually mandate breach SLAs from vendors handling PHI.
Harden Against Double-Extortion Ransomware
Interlock, Medusa, and Anubis exfiltrate before encrypting. Maintain offline immutable backups, segment clinical networks, and rehearse downtime procedures. Anubis also destroys files — backups are non-negotiable.
Defend Medical IoT and Devices
7 of 37 CVEs affect cameras, DVRs, and firmware (Hikvision, Dahua, Contec). Place medical/IoT devices on isolated VLANs, monitor egress for anomalous beaconing, and validate firmware integrity regularly.
Counter the Supply-Chain Blast Radius
Single vendor compromises (Change Healthcare, Conduent, Episource, TriZetto) cascaded to tens of millions. Map fourth-party dependencies, require SBOMs from critical SaaS and BPO providers, and treat your supply chain as an extension of your own attack surface.
Section 04
Representative SHA256, SHA1, and MD5 hashes associated with confirmed malware samples across the ransomware families and information-stealer campaigns targeting U.S. healthcare. Block at endpoint, email, and network controls.
| Attack / Malware | Type | Hash Values (representative sample) |
|---|---|---|
| Interlock | SHA256 | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9 b85586f95412bc69f3dceb0539f27c79c74e318b249554f0eace45f3f073c039 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f |
| Medusa | SHA256 | 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6 657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980 7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95 9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270 1bad2b6e8ab16c5a692b2d05f68f7924a73a5818ddf3a9678ca8caab3568a78e |
| Anubis | SHA256 | 98a76aacbaa0401bac7738ff966d8e1b0fe2d8599a266b111fdc932ce385c8ed |
| The Gentlemen | SHA1 / SHA256 | SHA1: c12c4d58541cc4f75ae19b65295a52c559570054 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 |
| ELENOR-corp (Mimic) | SHA256 | 5b2274daaabb293187b0a75c15247474511524850384ce2cfa5f0ba01344bea5 |
| Vect | SHA256 | a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 |
| ALPHV / BlackCat | MD5 / SHA256 / SHA1 | MD5: 944153fb9692634d6c70899b83676575, efc80697aa58ab03a10d02a8b00ee740, c90abb4bbbfe7289de6ab1f374d0bcbe SHA256: 1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5 af28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021 SHA1: 3dd0f674526f30729bced4271e6b7eb0bb890c52, d6d442e8b3b0aef856ac86391e4a57bcb93c19ad |
| Lumma Stealer | SHA256 | 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd 01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f 65e1a8e550df1000eb91a7b679cf586efab0f24385b810f50349d50eb80ae806 |
| AsyncRAT | SHA256 | 0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3 398bf921701c72139dfa6d11b2eb41810170eaf847cc73f16ff00c8f86d6d30a 7afcf780cb130e2d294e7eca704cb2914d50c738748da431ee275dacc3e5344e 6d240a48b5e2d1cf761a8b48b146d20729d0a7a3a557e31e75ed4c120ce71aea |
| Rhadamanthys | SHA256 | 0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3 7afcf780cb130e2d294e7eca704cb2914d50c738748da431ee275dacc3e5344e b9ad234abeb1490f2c2d28dd2387f0575ba5128ebb799741b1f3179622204175 c7ca2f9065557a6d8fb0c02c75804d386b77ffca4466678b201c09e916afa096 |
| Sinobi | SHA256 | 1b2a1e41a7f65b8d9008aa631f113cef36577e912c13f223ba8834bbefa4bd14 |
| Akira | SHA256 | d5558ec7979a96fe1ddcb1f33053a1ac3416a9b65d4f27b5cc9fd0a816296184 2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643 99c1cd740fa749a163ce8cdf93722191c4ba5d97de81576623a8bbcb622473d6 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33 |
| INC | SHA256 | fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced |
Section 05
CVE-2024-55591 was the most-referenced CVE.Section 06
