US Healthcare Cyber Incident Map — Operating Picture
OPSARIC-CI-2026-0509 · Q1 2026 · Updated 2026-05-09
Posture: ELEVATED · 201 Q1 attacks (120 providers + 81 vendors) · Top actors: Akira · Rhysida · Interlock · Insomnia · 96% of ransomware incidents exfiltrate data · Concentration risk: Change Healthcare class single-point-of-failure architecture persists
Ransomware
Data breach
Supply-chain compromise
Last 7 days (pulsing)
Dot size ∝ patients affected · cluster halo = state with ≥3 incidents
Incidents tracked
94+
major US events YTD
Q1 2026 attacks
201
120 providers · 81 vendors
Largest single breach
192.7M
Change Healthcare
Data-exfil rate
96%
of ransomware incidents
Hot state · 30d
TX
6 incidents · cluster halo
TOP ACTIVE THREAT ACTORS · TRACKED CORPUS
Akira ×4
Rhysida ×4
Interlock ×3
ALPHV/BlackCat ×3
Qilin ×3
Insomnia ×2
Genesis ×3
PEAR Extortion ×3
Handala (Iran MOIS) ×1
RansomHub ×1
Spacebears ×2
Lynx ×2
INTERNATIONAL ECHO ·
Réseau Radiologique Romand (CH · Akira) ·
CarePoint Health (CA · Genesis) ·
Rehab Clinics Group (UK · Everest) ·
FriendlyCare Pharmacy (AU · Kairos) ·
ChipSoft (NL EHR · ransomware) ·
Nippon Medical School (JP · NetRunner) ·
Depósito Dental Universitario (MX · Lamashtu) ·
Alpinion (KR · Coinbasecartel) ·
Healthdaq (IE · XP95) ·
AEP Pharma (DE · ransomware) ·
Hospital Caribbean Medical Center (PR · The Gentlemen)
OPSARIC · Healthcare Cyber Threat Tracker · Q1 2026 Operating Picture · 2026-05-09
Sources: HIPAA Journal · HHS OCR Breach Portal · CISA · DOJ · victim disclosures · darkweb leak sites (tracked) · GreyNoise · Recorded Future · OPSARIC analyst attribution
Positions approximate · State-level geocoding · Not a projection-accurate map · Cluster halos at n ≥ 3