Privacy Under Siege: Securing Healthcare in the Age of Akira

What Is Akira Ransomware & Why Healthcare Organizations Should Be Worried

Akira is a ransomware-as-a-service group that increasingly targets healthcare systems. A joint alert issued by CISA, the FBI, HHS, and other agencies reports that Akira threat actors exploit publicly known vulnerabilities in VPN and backup systems to gain initial access. The updated CISA Advisory (Nov 13, 2025) notes that a common tactic is exploiting VPN services without MFA, especially in Cisco and SonicWall products. Once inside the network, Akira actors exfiltrate data using tools such as FileZilla, WinSCP, and cloud storage services. This is where Akira becomes far more dangerous than traditional ransomware, a double-extortion model, that can devastate an organization even after systems are restored.

Why Double Extortion Makes Akira Especially Dangerous

Akira’s threat model is built around double extortion, a tactic that significantly increases the pressure on victims and the potential damage to healthcare organizations. In a double-extortion attack, adversaries not only encrypt critical systems but also steal sensitive data before deploying ransomware. Even if an organization successfully restores its systems from backups, attackers retain leverage by threatening to publicly release or sell the stolen information.

Akira’s method typically includes exploiting known vulnerabilities or weak remote access (MITRE: Exploitation of Public-Facing Applications – T1190; Valid Accounts – T1078), moving laterally to high-value systems (Remote Services – T1021), exfiltrating data with common transfer tools (Exfiltration Over Web Services – T1567.002), and encrypting files for impact (T1486).

The State of Ransomware in Healthcare

The broader healthcare ransomware landscape highlights the scale of the problem. According to a  Sophos 2025 report, 33% of attacks now exploit known vulnerabilities, surpassing credential-based attacks for the first time. While the percentage of attacks that involve encryption has declined to 34%, extortion-only attacks (where data is threatened with exposure but not encrypted) have tripled to 12%. These shifts show that attackers are increasingly focusing on the sensitivity of healthcare data rather than disrupting IT operations. The financial implications remain serious, with the median ransom in 2025 reaching $343,000, and recovery costs often far exceeding that figure.

Privacy Risks

One of the most pressing concerns is the privacy risk posed by Akira ransomware. Data exfiltration exposes patient records and protected health information (PHI), potentially leading to public leaks if ransoms are not paid. Even when data is restored after an encryption attack, stolen information may already have been copied or sold, making double extortion particularly dangerous. Beyond the immediate financial and operational impact, such incidents can trigger regulatory consequences under HIPAA, requiring organizations to notify patients, report breaches, and face potential investigations. The average breach costs in the United States reached a record USD 10.22 million, a 9% increase over last year, driven in part by higher regulatory fines and detection and escalation costs. The risk is further compounded when attackers target backup systems, potentially compromising the ability to fully restore unaltered data. 

Recommended Guidance

In response to this growing threat, a Joint Cybersecurity Advisory has issued guidance to help healthcare organizations strengthen defenses against Akira ransomware. Organizations are advised to harden VPN security and ensure that MFA is enabled on all remote access systems. 

“Akira relies primarily on brute force attacks on virtual private networks without multi-factor authentication enabled to gain initial access, and then they exploit known vulnerabilities in victim systems,” said Scott Gee, American Hospital Association (AHA) deputy national advisor for cybersecurity and risk. “Hospitals should ensure that their VPNs are properly configured and that they are quickly addressing published common vulnerabilities and exposures.” 

Healthcare organizations must promptly:

• Patch all known vulnerabilities in VPN, backup, and other critical systems.
• Implement measures to prevent unauthorized access
• Implement a Security Information and Event Management (SIEM) for correlated log analysis
• Maintain offline, immutable backups
• Test restoration procedures on a regular basis

Continuous monitoring for indicators of compromise (IOC) and regular threat intelligence updates can help detect intrusions before major damage occurs. Additionally, staff training is vital to strengthen phishing awareness and reduce the risk of credential-based attacks.

Protecting Patient Privacy

Protecting patient privacy requires an initiative-taking, comprehensive approach:

• Conduct privacy impact assessments to help organizations identify where PHI is stored, how it might be exposed, and which safeguards are needed.
• Complete tabletop exercises simulating ransomware incidents, including data-exfiltration scenarios, to prepare teams for real-world attacks and ensure timely breach response.
• Ensure backup integrity through offline, secure storage, coupled with continuous network monitoring, to help prevent or limit the damage caused by ransomware.
• Review incident response plans to verify they integrate privacy and regulatory obligations, including breach notification requirements.
• Conduct a comprehensive risk analysis to identify gaps in security controls and workflows
• Perform a business impact analysis to determine data-handling practices and data mapping to determine where ePHI resides.

The insights gained from the above steps help guide remediation efforts, prioritize security investments, and strengthen overall resilience against data exfiltration and other ransomware-related risks.

Akira ransomware is not merely a cyber threat but represents a critical privacy risk for healthcare organizations. Its dual nature of data encryption and exfiltration highlights the need for robust security measures, resilient backup strategies, and comprehensive privacy protections. The evolving ransomware landscape underscores that cybersecurity and patient privacy are inseparable priorities in modern healthcare.