US healthcare provider hit by Iran linked ransomware attack

A major healthcare cyberattack raises alarms

In late February 2026, a U.S. healthcare provider suffered a serious ransomware attack attributed to an Iran‑linked hacker group known as Pay2Key. The attackers gained access to an administrative account, then moved laterally into the provider’s network.

Within a matter of hours, the malicious software encrypted systems, disrupting operations. This incident underscores how digital threats tied to geopolitical tensions can spill into critical infrastructure like health care.

Iran‑linked ransomware gang Pay2Key involved

Cybersecurity researchers say the group behind the attack is Pay2Key, a pro‑Iran ransomware operation active since at least 2020. Its methods typically involve gaining persistent access before deploying encryption tooling across networks quickly.

In this case, the attack began several days before the activation of the ransomware payload, giving the gang time to explore and map the environment. The incident is among the first publicly confirmed Iran‑linked ransomware assaults on U.S. health infrastructure.

Encrypted systems disrupt healthcare work

Once the Pay2Key ransomware was activated, it encrypted systems throughout the provider’s environment in just a few hours. Encrypted systems can halt scheduling, billing, medical records access, and internal communication.

When critical applications are locked, hospitals and clinics may be forced to delay treatment, resort to paper documentation, or divert patients. This type of disruption can jeopardize patient care and operational continuity if backups and mitigation plans are not effective.

No ransom demand reported yet

Researchers said they found no evidence of data exfiltration during the intrusion, a notable departure from the double extortion tactics common in many ransomware attacks. Early public reporting focused on the disruption itself as investigators worked to determine whether the operation was driven primarily by extortion, destruction, or both.

Technical analysis of the malware shows that Pay2Key also deployed a ransom note with decryption instructions after encrypting systems. The case points to a disruptive ransomware campaign whose exact motive remains under investigation.

Healthcare cyber risk extends beyond one incident

This attack adds to a growing list of cyber incidents that have exposed systemic weaknesses across the healthcare sector and its supporting technology vendors. A breach at one organization can ripple outward through claims systems, pharmacies, providers, and other third party services that depend on shared infrastructure.

In 2024, the ransomware attack on UnitedHealth’s Change Healthcare unit disrupted pharmacy transactions, insurance claims, and payment flows across the United States. The fallout was national in scope and lasted far longer than a brief interruption to prescriptions.

Little-known fact: Do you know why healthcare is targeted? Medical records are “perpetual assets” because, unlike credit cards, you can’t change your DNA or history, making healthcare the ultimate high-value, unfixable target for life-or-death extortion.

Incident response and forensic work

After the attack, response teams from cybersecurity firms and internal security were brought in to mitigate damage. Incident responders often work to isolate affected systems, restore backups, and block persistent access.

Forensic analysis focuses on how the hackers entered the network, what tools they used, and whether sensitive data was accessed or stolen. These investigations can take weeks or months, but are crucial to prevent repeat breaches.

Connection to broader geopolitical tensions

The attack unfolded during a period of heightened tension involving the United States, Israel, and Iran, and researchers said recent Pay2Key activity tracked closely with that broader conflict. Security analysts have warned that cyber operations are likely to remain part of Iran linked retaliation and pressure campaigns.

Healthcare is not a newly emerging target, however, because hospitals, providers, and related health organizations have faced serious cyberattacks for years. Recent incidents show that the sector remains vulnerable when geopolitical tensions overlap with ransomware and destructive intrusion activity.

Potential impact on patient records

Encrypted systems can make electronic health records temporarily unavailable, slowing clinical decision-making. If backups aren’t up‑to‑date or easily restored, patient treatment plans, lab results, and scheduling systems can be compromised.

Hospitals may revert to manual processes, which are slower and prone to error. Protecting patient data and access remains a top concern for health providers facing ransomware threats tied to skilled, persistent attackers.

Federal agencies get involved

When cyberattacks affect U.S. healthcare infrastructure, federal response teams often step in. Agencies like the FBI and Cybersecurity and Infrastructure Security Agency (CISA) may assist with investigations, coordinate threat intelligence sharing, and advise on mitigation.

U.S. authorities also work to attribute attacks, assess national security implications, and provide actionable guidance to other healthcare entities to guard against copycat activity.

Little-known fact: The first female special agents in the Bureau’s history reported for training at the FBI Academy at Quantico, Virginia, in July 1972. Before then, the FBI did not accept applications from women to become special agents.

Why hackers target healthcare

Healthcare organizations often use specialized systems with numerous entry points, making them attractive to attackers. They typically store sensitive personal data and require high uptime, which can make them more likely to pay ransoms.

When attackers believe geopolitical tensions create justification for targeting critical infrastructure, sectors like healthcare can be seen as strategic touch points to send a message or create disruption.

Ransomware’s broader impact on services

Even after systems are restored, ransomware attacks can have lasting effects. Delays in care, loss of productivity, and increased cybersecurity spending are common after a breach.

Healthcare providers may need to invest in stronger defenses, staff retraining, and advanced monitoring tools. Disruptions can also undermine patient trust if personal data is believed to be at risk, even if no breach of records occurs.

Lessons for healthcare cybersecurity

This attack reinforces the need for robust cybersecurity practices like multi‑factor authentication, regular patching, network segmentation, and offline backups.

Cyber hygiene and incident planning are crucial, especially as cyber threats evolve beyond simple criminal groups into actors with political motives. Sharing threat intelligence across the health sector helps defenders anticipate and mitigate sophisticated attacks before they escalate.

Strengthen your defenses by exploring 19 cybersecurity tools every business should have and see how they protect against evolving digital threats.

What healthcare organizations should watch

Healthcare leaders should monitor threat trends, update incident response plans, and invest in detection systems that can spot unusual activity early.

Regular training for staff on phishing and credential protection is essential, since many ransomware campaigns begin with compromised accounts. Strengthening digital defenses now can help prevent future attacks that could disrupt vital patient services.

Healthcare and tech leaders should stay informed by checking what Iran’s expanding cyberwar could mean for global systems and how it might affect security strategies.

How does your organization stay ahead of ransomware threats in healthcare? Share your tips in the comments and tell us which security measures you find most effective.

This slideshow was made with AI assistance and human editing.

Don’t forget to follow us for more exclusive content right here on MSN.

Read More From This Brand:

• Elon Musk takes action against AI war video monetization
• Pentagon opens the curtain on Palantir’s AI project for military use
• Governments scramble to contain a surge in AI-driven cyberattacks worldwide