North Korea-linked Lazarus deploys Medusa ransomware, hitting U.S. hospitals and nonprofits

Security researchers reported Feb. 25, 2026 that North Korea-linked actors operating under the Lazarus umbrella began deploying the Medusa ransomware family in financially motivated extortion campaigns that have struck organizations in the Middle East and several healthcare and nonprofit groups in the United States, producing operational disruptions and heightened risks to patient data and social services.

Analysts tracing the activity say Medusa encrypts files and exfiltrates data for double-extortion demands, a pairing that raises both immediate and long-term threats for institutions that manage sensitive health and social welfare records. Healthcare providers and community-serving nonprofits are already high-value targets because their operations depend on timely access to electronic records, appointment systems and billing platforms while often lacking the cybersecurity budgets of larger corporations.

The attacks expose fragile links between cyber risk and public health. Even short outages in electronic health record systems can force clinics to delay routine and preventive care, postpone diagnostic testing, and revert to paper workflows that increase the chance of error. For nonprofit organizations that provide housing assistance, food distribution, mental health counseling and refugee services, data loss or service interruption can sever lifelines for people who have few alternatives and limited digital access.

Those consequences fall disproportionately on low-income communities, immigrants and older adults who rely on safety-net providers. Cyberattacks that disrupt community clinics, food banks or legal aid groups therefore compound preexisting health and social inequities, experts say, by limiting access to care and assistance precisely for populations that face the greatest barriers to recovery.

Medusa’s presence in campaigns attributed to Lazarus also signals a continuing trend of state-linked actors engaging in profit-driven extortion to generate revenue, complicating traditional distinctions between espionage and criminality. That hybrid behavior presents challenges for policymakers and regulators who must decide how to allocate scarce resources across public health, law enforcement and cyber defense.

For the health sector, the immediate policy implications are clear: federal and state authorities must accelerate funding and technical assistance for small hospitals, community health centers and nonprofit providers. Mandatory reporting requirements for ransomware incidents exist under federal law when breaches involve protected health information, but reporting alone does not remedy missing patches, legacy systems or understaffed IT teams. Investment is needed in secure infrastructure, zero trust architectures, backup systems and workforce training so that patient care can continue during and after an incident.

Insurers and regulators must also confront the market distortions that encourage ransom payments. Smaller providers often pay to restore operations quickly because contingency reserves and recovery plans are inadequate. Without stronger public supports and coordinated incident response networks that prioritize continuity of care, vulnerable patients will continue to bear the costs.

Researchers monitoring the Medusa campaigns warned that attacks are ongoing and urged immediate hardening measures for organizations likely to be targeted: isolate critical systems, verify backups, and prioritize patching of externally facing services. Beyond technical mitigation, the incidents underscore a public health imperative: protect the institutions that serve the most vulnerable, because when community providers go dark the harms fall hardest on those with the least capacity to absorb them.