Insomnia Data Theft Gang Signals a New Era of Healthcare Cyber Threats: Why Perimeter Security Is No Longer Enough

Your firewall is not protecting your patient data. Your endpoint detection is not catching the intruder. Your perimeter security strategy was built for a threat that no longer exists.

That is the uncomfortable reality exposed by Insomnia, a new cybercriminal operation targeting U.S. healthcare. Since first surfacing in October 2025, the group has posted 18 alleged victims on its data leak site. More than half are tied to healthcare — hospitals, clinics, medical malpractice law firms, and surgical equipment manufacturers.

Insomnia does not encrypt systems and demand a decryption key. It steals data — patient records, drivers’ licenses, tax forms, sensitive correspondence — and offers it for free download. This is data exfiltration at scale, and it represents a fundamental shift in how cybercriminals target healthcare.

Five Key Takeaways

1. A New Cybercriminal Gang Is Hunting Healthcare Data. A data theft operation called Insomnia has surfaced on the dark web with 18 claimed victims. More than half have direct ties to healthcare — providers, medical malpractice law firms, and surgical equipment manufacturers. Security firm Kela confirms none of these victims appeared on prior ransomware leak sites, suggesting Insomnia is a genuinely new operation, not a rebrand.
2. Attackers Are Stealing Data, Not Encrypting It. Insomnia does not deploy ransomware. It steals sensitive records — patient files, tax documents, driver’s licenses — and threatens public exposure. Rapid7 describes the group as “optimized for stealthy data theft versus loud, disruptive ransomware attacks.” Backups and disaster recovery plans are useless against this approach. Once the data leaves your network, the damage is done.
3. Stolen Credentials Are the Front Door. Insomnia gains access through stolen login credentials harvested by infostealer malware and authentication bypass vulnerabilities. The group then moves laterally using legitimate tools like Windows Server updates. Endpoint protection and firewalls are not designed to stop an attacker who walks in with a valid username and password.
4. Small and Mid-Sized Healthcare Organizations Are the Primary Targets. Most of Insomnia’s healthcare-related victims have annual revenue between $5 million and $57 million and employ between 11 and 200 people. These are organizations without dedicated security operations centers, enterprise threat detection, or full-time compliance staff. Limited security maturity is the common thread.
5. Ransomware Payments Are Dropping — So Attackers Are Pivoting. A Sophos survey found only 36% of healthcare ransomware victims paid a ransom in 2025, down from 61% in 2022. Average payments dropped from $1.47 million to $150,000. Attackers are responding by shifting to pure data exfiltration. If organizations will not pay to decrypt, the next move is to extort them with the threat of exposing stolen patient records.

Why Healthcare Keeps Ending Up in the Crosshairs

Healthcare has long been the preferred target for cybercriminal operations. The sector holds enormous volumes of protected health information with high black-market value, and historically, healthcare organizations have been willing to pay ransom demands rather than risk patient safety.

But that calculus is changing. A Sophos survey found only 36% of healthcare ransomware victims paid in 2025 — down from 61% in 2022. Average payouts dropped from $1.47 million to $150,000. Healthcare is becoming a tougher environment for cybercriminals.

Attackers are adapting. Insomnia’s model reflects this pivot — rather than disrupting operations with ransomware, the group steals sensitive data and threatens public exposure. You cannot restore patient privacy from a backup. Once PHI is posted on a leak site, the consequences are irreversible.

How Insomnia Gets In — and Why Traditional Security Misses It

What distinguishes Insomnia from conventional ransomware groups is its operational approach. According to Christiaan Beek, senior director of threat intel and analytics at Rapid7, Insomnia is built for speed and invisibility.

The group gains access through stolen credentials harvested by infostealer malware from underground markets. It exploits authentication bypass vulnerabilities to sidestep login protections. Once inside, Insomnia moves laterally using authorized tools like Windows Server updates, blending in with normal administrative activity. Rapid7 describes the model as focused on “speed, low visibility and maximizing extortion leverage through sensitive data exposure.”

There are also indicators that Insomnia may function as a broker or platform for monetizing stolen data, potentially collaborating with other criminal actors who provide initial network access.

Perimeter defenses — firewalls, intrusion detection systems, endpoint protection platforms — were designed to stop malicious software and flag suspicious traffic. Insomnia is not delivering malware. It is logging in with legitimate credentials and using authorized tools. There is no malicious payload to detect.

Small and Mid-Sized Providers: Maximum Exposure, Minimum Defense

Insomnia’s victim profile reveals a deliberate targeting strategy. Most healthcare-related victims have annual revenue between $5 million and $57 million, with 11 to 200 employees. These are dermatology practices, regional clinics, specialty surgical centers, billing companies, and the law firms that handle their malpractice cases.

These organizations face a dangerous gap between threat exposure and defensive capability. They hold the same categories of sensitive patient data as major hospital systems but lack the resources to protect it. A 50-person orthopedic practice does not have a security operations center. A $20 million medical malpractice firm is not running enterprise-grade threat detection.

The tools these organizations rely on — basic endpoint protection, standard firewalls, consumer-grade file sharing, and unencrypted email — were never engineered to stop credential-based data theft.

Security firm Kela has tracked 68 healthcare organizations targeted by cybercrime groups in 2026, with 50 based in the United States. This targeting pattern reflects financially motivated operations that exploit opportunity and limited security maturity.

Why the Perimeter Model Cannot Solve This Problem

Credentials bypass the perimeter. When an attacker logs in with valid stolen credentials through an authorized access point, the perimeter sees a legitimate connection. There is nothing to block.

Detection requires something to detect. Insomnia uses Windows Server updates and legitimate administrative tools to move through networks. These actions mirror normal IT operations. There is no anomalous signal for security tools to flag.

Consumer file sharing has no governance. Healthcare organizations that transmit PHI through Dropbox, Google Drive, or unencrypted email have no visibility into who accesses that data, when, or from where. There are no access controls beyond a shared link and no audit trail for HIPAA breach notification.

Backups do not protect against data theft. Robust backup and disaster recovery — the traditional ransomware defense — has no relevance when the threat is exfiltration. You can restore encrypted systems. You cannot un-expose stolen patient records.

From Perimeter Security to Data-Centric Protection

Stopping credential-based data theft requires a fundamentally different approach. Instead of defending the network boundary, organizations must control access to the data itself — verifying identity, restricting permissions, encrypting content, and logging every interaction.

Authenticated access to every file. Every request to view, download, or share protected health information must require verified identity through multi-factor authentication. Stolen passwords alone cannot grant access. Contextual controls block access from unexpected locations, unrecognized devices, or unusual times.

Centralized data governance. Sensitive data stored in a hardened, monitored repository — rather than scattered across file shares, email inboxes, and personal cloud accounts — eliminates the sprawl that gives attackers multiple exfiltration vectors.

Encrypted communications. Protected health information transmitted through TLS 1.3 and FIPS 140-3 validated encryption cannot be intercepted in transit. Secure channels for email, file sharing, and third-party data exchange eliminate the SMTP vulnerability that exposes PHI to interception.

Comprehensive audit trails. Every access, download, share, and transmission is logged — who, what, when, where, how. Real-time alerting flags suspicious patterns like bulk downloads. SIEM integration enables correlation with other threat indicators. Forensic investigation can reconstruct the attack timeline and identify the precise scope of compromise.

Secure third-party exchange. Healthcare’s extended ecosystem — insurers, labs, specialists, billing companies — creates data exposure at every handoff. Authenticated, encrypted channels with time-limited permissions for external users eliminate the risk of partner compromise becoming your breach. This is where third-party risk management moves from a compliance checkbox to an operational necessity.

Kiteworks: Data-Centric Security Built for Healthcare

This is the problem the Kiteworks Private Data Network is built to solve.

Kiteworks does not try to stop data theft at the network perimeter. It controls access to the data itself. Every interaction with protected health information runs through a single platform with consistent identity verification, encryption, access controls, and audit logging.

Traditional endpoint protection cannot stop an attacker using legitimate credentials. Firewalls cannot flag activity that mirrors normal operations. Consumer file sharing lacks HIPAA-compliant access controls and audit trails. Kiteworks consolidates all PHI exchange into a governed environment where stolen credentials alone cannot access data, every interaction is logged, and exfiltration attempts trigger automated response.

For CISOs, it is the zero-trust data protection architecture that prevents credential-based theft. For compliance officers, it is the audit trail that demonstrates HIPAA Security Rule compliance and supports breach notification. For CFOs at organizations in Insomnia’s target range, it is enterprise-grade protection without an enterprise budget — when the average healthcare data breach costs $10.93 million, prevention pays for itself.

The Window Is Closing

Insomnia is not an isolated incident. It is the latest signal in a clear trend. As ransomware payments decline, cybercriminal groups are pivoting to data theft because stolen health records create permanent leverage. New groups like Qilin and Sinobi continue to target healthcare organizations with limited security maturity. Sixty-eight healthcare entities have been targeted in 2026 and we are only in February.

Healthcare organizations that adopt data-centric security now will close the exfiltration gap that Insomnia and similar groups exploit. They will protect patient privacy, satisfy HIPAA compliance requirements, and avoid the $10.93 million average cost of a healthcare data breach. Organizations that continue relying on perimeter defenses will discover their gap the way Insomnia’s 18 victims already have.

Patient data can no longer be protected by guarding the network perimeter. The question is whether your organization will secure its data at the source before the next credential-based attack finds the gap your current tools were never designed to close.

To learn how Kiteworks can help, schedule a custom demo today.

Additional Resources

• Blog Post Zero Trust Architecture: Never Trust, Always Verify
• Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
• Blog Post How to Secure Classified Data Once DSPM Flags It
• Blog Post Building Trust in Generative AI with a Zero Trust Approach
• Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders