The backup restore worked. The files came back. The hospital declared the ransomware incident contained.
Three weeks later, a threat actor published 40,000 patient records on a dark web forum and sent HIPAA breach notification obligations with them.
This is the new ransomware playbook targeting healthcare: skip the encryption entirely, exfiltrate the data quietly, delete the backups, and use the threat of regulatory disclosure and public notification as leverage. No locked files. No ransom note. No visible disruption until the extortion demand arrives.
Hospitals that built their defenses around detecting file encryption are not prepared for this.
What Is Data Extortion Without Encryption?
Traditional ransomware combines two steps: data exfiltration (stealing a copy of sensitive files) followed by file encryption (locking the originals and demanding payment for decryption). The encryption step was historically the primary leverage mechanism.
Pure extortion attacks drop the encryption step entirely. Attackers quietly exfiltrate patient data, delete or corrupt local backup copies to eliminate the easy recovery path, then threaten to publish the data publicly or report the breach to regulators unless payment is received. The leverage is not “pay to unlock your files”, it is “pay to prevent a HIPAA notification letter going to 40,000 patients.”
This approach is faster, harder to detect, leaves no encryption-related indicators of compromise, and is specifically more effective against organizations like hospitals that have invested in backup and recovery infrastructure.
How Severe Is the Healthcare Ransomware Problem in 2026?
Healthcare has become the most targeted sector for ransomware by attack volume:
- Healthcare ransomware attacks increased 36% in late 2025. The sector is targeted in over one-third of all ransomware attacks (Meriplex / Healthcare IT Today 2026).
- Average cost of a hospital ransomware attack: $10.9 million in downtime, recovery, and regulatory fines (AHA 2026).
- Multiple 2026 incidents resulted in hospitals operating without connected technology for 30 days or longer, with direct patient safety consequences.
- The Gentlemen Group attacked Hospital Caribbean Medical Center in Puerto Rico in early 2026, claiming sensitive patient data exfiltration as their primary leverage.
- A former FBI official proposed terror designations for ransomware groups targeting hospitals in April 2026, signaling the escalating policy response to healthcare attacks.
The AI Acceleration Factor
AI-enhanced attack automation has made healthcare a more accessible target. Attackers use AI to automate reconnaissance against Electronic Health Record (EHR) systems, customize attack sequences for specific clinical software environments, and craft highly convincing phishing attempts targeting clinical staff who may have limited security training. The barrier to executing a sophisticated healthcare attack has dropped significantly.
What Happens When Hospitals Miss the Exfiltration Stage
HIPAA requires healthcare organizations to notify the Department of Health and Human Services and all affected individuals within 60 days of discovering a breach, regardless of whether files were encrypted. A pure data-exfiltration attack that goes undetected at the network layer triggers full HIPAA notification obligations the moment it is discovered, whether that discovery happens from a threat actor’s extortion demand or from an internal investigation.
The notification itself causes secondary harms: patient trust erosion, class action litigation exposure, OCR investigation, and potential civil monetary penalties. In 2026, the average per-record cost of a healthcare breach is among the highest of any industry.
Old Way vs. New Way: Healthcare Ransomware Detection
| Traditional Defense | 2026 Required Approach |
| File rename event detection | Network-layer exfiltration detection |
| Encryption behavior monitoring | Packet-level data transfer volume anomaly detection |
| Backup integrity verification | Backup modification monitoring with immutable copies |
| Endpoint AV for ransomware signatures | Behavioral EDR for data harvesting tool activity |
| Post-encryption incident response | Pre-exfiltration detection and containment |
How Peris.ai Addresses the Healthcare Extortion Threat
NVM: Catch the Exfiltration Before the Demand Arrives
The defining characteristic of pure data-extortion attacks is that the only detectable signal before the extortion demand is network-level: anomalous large data transfers moving patient records toward external destinations. Peris.ai‘s NVM (Network Visibility Monitor) operates at the packet level, providing the granular network telemetry to detect data transfers that are inconsistent with normal clinical operations, large volumes of structured data (consistent with EHR exports) moving toward external IP ranges, particularly at off-hours.
This is the detection layer that encryption-based defenses miss entirely. By the time a ransom note would appear in a traditional attack, NVM can detect and alert on the exfiltration stage.
XDR: Detect Data Staging and Lateral Movement
Before exfiltration, attackers stage data: they identify, aggregate, and compress patient records for transfer. Peris.ai’s XDR platform detects the behavioral sequence of data staging activity across clinical workstations and servers, unusual access to EHR databases, bulk file aggregation in temporary directories, and compression tool execution that precedes exfiltration.
EDR: Stop Data Harvesting at the Endpoint
Peris.ai’s EDR platform detects data harvesting tools and credential dumping activity on clinical workstations, the endpoint-level behaviors that precede both data staging and lateral movement. Behavioral detection operates independently of known malware signatures, catching novel tooling used in 2026 healthcare attacks.
Peris.ai IRP: HIPAA-Aligned Breach Response
When a potential breach is detected, Peris.ai IRP provides structured case management with workflow automation designed for the HIPAA notification timeline. The platform tracks the 60-day notification clock from the moment of discovery, manages the evidence collection required for OCR submissions, and coordinates notifications across the multiple required parties: affected individuals, HHS, and media for breaches affecting over 500 individuals in a state.
Use Case: Detecting Patient Data Exfiltration at 2AM
On a Tuesday at 02:17, Peris.ai NVM flags an anomaly at a regional hospital: an internal server hosting EHR data is generating sustained outbound HTTPS transfers to an IP address outside the hospital’s approved vendor list. Transfer volume: 3.4GB over 47 minutes. The traffic pattern is inconsistent with scheduled backup operations.
XDR correlates the NVM alert with an EDR signal from 90 minutes earlier: unusual access to the EHR database schema from a service account that normally only performs read queries on specific patient record tables. BrahmaFusion’s automated playbook isolates the affected server, revokes the service account credentials, and opens a Peris.ai IRP case with the full evidence timeline.
The CISO and compliance officer are notified at 02:31. The exfiltration is stopped at 3.4GB. Forensic analysis confirms the stolen data. HIPAA notification planning begins with a complete evidence package, rather than discovering the breach from a threat actor’s extortion demand three weeks later.
Benefits at a Glance
| Benefit | Outcome |
| NVM packet-level exfiltration detection | Data theft caught before extortion demand |
| XDR data staging behavioral detection | Early warning before files leave the network |
| EDR clinical endpoint protection | Harvesting tools stopped at the endpoint |
| Peris.ai IRP HIPAA workflow | 60-day notification clock managed from discovery |
| Integrated evidence trail | Complete forensic package for OCR submission |
Conclusion
The evolution from file-encrypting ransomware to pure data extortion has outpaced most hospital security programs. Detection logic built around encryption events, file rename patterns, and backup monitoring does not catch an attacker who never touches the files, only the network. NVM-level visibility is now the minimum viable detection capability for healthcare organizations facing this threat class.
Peris.ai’s NVM, XDR, EDR, and IRP give healthcare security teams the integrated detection and response capability to catch data extortion attacks before the extortion demand arrives. Visit Peris.ai to learn how Peris.ai protects healthcare organizations.
FAQ
What is a data extortion attack without encryption?
An attack where threat actors exfiltrate sensitive data and delete backup copies without encrypting files, then use the threat of regulatory reporting or public data disclosure as their primary extortion leverage.
Does HIPAA apply if files were never encrypted?
Yes. HIPAA breach notification obligations apply whenever protected health information is accessed, acquired, or disclosed without authorization, regardless of whether encryption occurred.
How does NVM detect data exfiltration that endpoint tools miss?
NVM monitors network traffic at the packet level, detecting anomalous large data transfers that are inconsistent with normal clinical operations, a signal that encryption-based endpoint detection systems do not generate.
What is the average cost of a hospital ransomware attack in 2026?
$10.9 million in downtime, recovery, and regulatory fines, according to AHA 2026 data.
How quickly must hospitals notify HHS of a breach?
HIPAA requires notification to HHS and affected individuals within 60 days of discovering a breach. For breaches affecting 500 or more individuals in a state, media notification is also required within the same timeframe.
Leave a Reply