THE FOWLER GROUP  |  CYBER BRIEF  |  HEALTHCARE EDITION

This brief distills the FBI’s 2025 Internet Crime Report for healthcare security leaders, compliance officers, and CISOs. Healthcare and Public Health remains the most targeted critical infrastructure sector for ransomware, and the data below provides a comprehensive, data-driven view of the threat landscape facing your organization.

1,008,597 Total Complaints

$20.9B Total Losses

+26% YoY Loss Increase

$20,699 Average Loss

National Threat Overview

The FBI’s Internet Crime Complaint Center (IC3) received 1,008,597 complaints in 2025—the first time the million-complaint threshold has been crossed—with reported losses totaling $20.877 billion, a 26% increase over 2024. The average reported loss was $20,699 per complaint.

Investment fraud dominated at $8.6 billion, followed by business email compromise ($3.0B), tech/customer support scams ($2.1B), personal data breaches ($1.3B), and confidence/romance fraud ($929M). Cryptocurrency was involved in $11.4 billion in total losses, up 22% year over year. Phishing/spoofing was the highest-volume crime type by count (191,561 complaints).

Ransomware Landscape

IC3 received 3,611 ransomware complaints with $32 million in directly reported losses—a figure the FBI acknowledges significantly understates true costs because many entities do not report lost business, time, wages, files, equipment, or third-party remediation. The top 10 reported variants (Akira, Qilin, INC/Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, SAFEPAY, Medusa) accounted for 56.8% of all incidents. IC3 identified 63 new variants in 2025, averaging over five new strains per month.

Healthcare Sector Ransomware & Data Breach Exposure

Healthcare and Public Health recorded the highest combined cyber threat reporting among all 16 critical infrastructure sectors in 2025, with 460 ransomware complaints and 182 data breach complaints—a combined 642 incidents, more than any other sector. Critical Manufacturing (355 ransomware / 52 data breach) and Government Facilities (258 / 189) were the next most impacted.

The top 10 ransomware variants—Akira, Qilin, INC/Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, SAFEPAY, and Medusa—accounted for 56.8% of all ransomware incidents reported to IC3. These variants disproportionately targeted Healthcare and Public Health, Critical Manufacturing, and Government Facilities. IC3 identified 63 new ransomware variants in 2025 (averaging 5.25 per month), meaning healthcare defenders must continuously update detection signatures and threat models.

The $32 million in directly reported ransomware losses significantly understates the true cost. The FBI notes that reported figures typically exclude lost business, time, wages, files, equipment, and third-party remediation services. Many entities report no loss amount at all, and the IC3 number does not capture entities reporting directly to FBI field offices rather than IC3.

Data breaches as a distinct crime type generated 3,963 complaints and $435 million in losses nationally. Personal data breach—which encompasses PHI exposure and unauthorized access to patient records—added 67,456 complaints and $1.3 billion in losses. For covered entities and business associates under HIPAA, these two categories together represent a combined $1.75 billion exposure surface.

The BlackSuit (Royal) ransomware group specifically targeted healthcare and public health in 2025. IC3 provided victim information to FBI field offices for notification and assistance. In August 2025, the DOJ announced coordinated disruption actions against BlackSuit involving multiple domestic and foreign law enforcement partners.

Business Email Compromise & Financial Fraud

BEC generated $3.046 billion in losses from 24,768 complaints nationally in 2025. For healthcare organizations, BEC manifests in compromised vendor invoicing, diverted insurance payments, and fraudulent wire instructions for construction, equipment, and service contracts. Wire transfer and ACH were the dominant transaction types in BEC (86% of reported transactions).

The IC3 Recovery Asset Team’s Financial Fraud Kill Chain (FFKC) achieved a 60% success rate for healthcare-sector incidents specifically, freezing fraudulent transfers before funds were permanently lost. Across all sectors, the FFKC processed 3,900 incidents and froze $679 million of $1.16 billion in attempted theft (58% overall success rate). The key variable is speed: immediate IC3 reporting upon discovering a fraudulent transfer dramatically increases recovery probability.

Account Takeover (ATO) fraud generated approximately 4,700 complaints and $359.7 million in losses nationally. ATO of email accounts used by healthcare administrators, billing departments, and vendor management teams is frequently the entry point for BEC—attackers monitor email threads and inject fraudulent payment instructions at critical moments.

Real estate fraud ($275 million in losses, 12,368 complaints) is relevant to healthcare organizations involved in facility acquisitions, construction projects, and lease negotiations where wire transfers are common closing mechanisms.

Elder Fraud & Patient Population Risk

Individuals aged 60 and older filed 201,266 complaints with $7.748 billion in losses—a 59% increase from 2024 and 37% of all reported losses. The average loss was $38,500, with 12,444 complainants losing more than $100,000 each. For healthcare organizations, this data has direct operational relevance: elderly patients are disproportionately targeted, and the financial and emotional toll of fraud compounds clinical outcomes.

The top loss categories for the 60+ demographic were investment fraud ($3.5B), tech/customer support ($1.04B), confidence/romance ($584M), BEC ($568M), and government impersonation ($413M). Tech support and government impersonation schemes exploit trust in institutional authority—a dynamic healthcare organizations should address in patient engagement and caregiver communications.

Cryptocurrency losses among the 60+ group totaled $4.4 billion, with 44,555 complaints—the highest complaint count of any age group for crypto-related fraud. Crypto ATM/kiosk fraud specifically generated $257 million in losses from the 60+ demographic, often driven by tech support and government impersonation scams that direct victims to crypto ATMs.

The FBI’s Operation Level Up identified 38 cryptocurrency investment fraud victims referred to Victim Specialists for suicide intervention in 2025. Several victims’ finances needed for serious medical treatments were saved through FBI intervention. The intersection of financial fraud and mental health crisis is a clinical reality that healthcare providers should be aware of, particularly in primary care and behavioral health settings.

Gold courier scams generated approximately 725 complaints and $311.8 million in losses, targeting elderly victims through tech support and government impersonation schemes that direct victims to convert savings to gold and hand it to couriers. This emerging physical-world fraud vector may present as financial exploitation in clinical settings.

AI-Enabled Threats to Healthcare

Over 22,364 IC3 complaints referenced artificial intelligence, with $893 million in associated losses. AI is being used across multiple fraud categories relevant to healthcare:

BEC with AI: Chat generators create convincing emails impersonating executives, and voice cloning is used to authorize wire payments. Businesses reported over $30 million in AI-enabled BEC losses. For healthcare organizations with complex vendor ecosystems, AI-enhanced BEC is increasingly difficult to detect through traditional email security controls.

Investment fraud with AI ($632 million in AI-linked losses): AI-generated videos and voices of celebrities and trusted figures are used to create fraudulent investment opportunities. Healthcare executives and physicians with disposable income are targeted through social media and messaging platforms.

Employment fraud with AI ($13 million): Voice deepfakes during online interviews allow applicants to misrepresent their identity. While the primary goal appears to be gaining access to private networks, this vector is relevant to healthcare organizations hiring remote IT, coding, or administrative staff.

Confidence/romance scams with AI ($19 million): AI chat generators create more believable personas and conversations. Voice cloning is used in “distress” or grandparent scams ($5 million in losses), which are evolving to mimic various family members in emergency scenarios—a vector that may affect healthcare workers during shifts.

Sextortion & Workforce Impact

IC3 received more than 75,000 sextortion submissions in 2025. While the highest volume affected the 20–29 age range (22,061 complaints), the 60+ group reported the highest financial losses at $14.9 million. For healthcare organizations, sextortion targeting staff can result in compromised credentials, susceptibility to further coercion, and workplace safety concerns. The FBI notes that shame and fear often prevent victims from seeking help.

DPRK IT Worker Threat

IC3 identified dozens of victim companies of the DPRK IT worker scam. North Korean operatives obtained remote IT positions at U.S. companies, then leveraged access to exfiltrate proprietary data and facilitate cyber-criminal activity. For healthcare organizations with remote IT staff, telehealth developers, or outsourced technical functions, rigorous identity verification during hiring—including live on-camera interviews and background validation—is essential. The FBI published two advisories on this threat in 2025.

Cryptocurrency as a Fraud Mechanism

Cryptocurrency was referenced in 181,565 complaints with $11.366 billion in total losses, a 22% increase from 2024. For healthcare, the most relevant cryptocurrency vectors are: tech support scams directing patients and staff to crypto ATMs ($389 million in crypto ATM losses overall, 58% increase YoY); investment fraud using fake crypto platforms ($7.2 billion); and recovery scams targeting previous fraud victims ($1.4 billion in losses from 10,516 complaints).

Recovery scams are particularly insidious: victims of an initial fraud are contacted by individuals impersonating government officials or recovery firms who promise to retrieve lost funds in exchange for upfront fees paid in cryptocurrency. IC3 reported increasing complaints involving impersonation of government officials and fictitious law firms in this category.

Regulatory & Compliance Implications

The HHS OCR HIPAA Security Rule NPRM proposes stricter incident reporting and risk analysis requirements. The IC3 data—particularly the 460 ransomware complaints and 642 combined cyber threat incidents against Healthcare/Public Health, the highest of any CI sector—provides a concrete, quantitative baseline for boards, compliance committees, and risk assessments.

The FBI’s recommendation to establish and maintain offline/offsite encrypted immutable backups, eliminate default credentials, segment networks, enable MFA, and maintain timely patching aligns directly with the HIPAA Security Rule’s administrative, physical, and technical safeguard requirements. Organizations that can document alignment with these FBI recommendations strengthen their reasonable safeguards defense.

Investment fraud losses ($8.6B overall) increasingly affect healthcare executives and physicians, a workforce awareness dimension worth incorporating into annual HIPAA training alongside phishing and social engineering modules.

Recommended Actions

• Prioritize detection and patching for Akira, Qilin, INC/Lynx/Sinobi, BianLian, and Play—the top five IC3-reported ransomware variants targeting healthcare.
• Brief the board: 460 ransomware complaints against Healthcare/Public Health, highest of any critical infrastructure sector, to support security investment requests and risk committee reporting.
• Ensure IR plans include immediate IC3 filing and FFKC engagement—the 60% healthcare-specific freeze success rate makes rapid reporting a tangible financial recovery lever.
• Implement out-of-band wire verification for vendor payments, construction contracts, and real estate transactions; BEC generated $3.0B in national losses with healthcare organizations as frequent targets.
• Incorporate AI-enabled social engineering scenarios (deepfake voice, AI-generated phishing, and voice-cloned distress calls) into tabletop exercises and workforce training.
• Vet remote IT and telehealth developer hires rigorously in light of the DPRK IT worker threat—require live on-camera interviews and validate identities independently.
• Integrate elder fraud awareness into patient engagement, caregiver communications, and community health programming given the 59% YoY increase in 60+ losses.
• Review backup architecture against the FBI’s specific ransomware mitigation guidance: encrypted, immutable, offline, covering the entire data infrastructure.
• Evaluate crypto ATM/kiosk fraud awareness for patient-facing materials—$257 million in losses among the 60+ group from this vector alone.
• Document alignment between FBI-recommended mitigations and HIPAA Security Rule safeguards to strengthen reasonable safeguards defense posture.

Source: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report. Analysis and sector framing by The Fowler Group, LLC.