By Adrian Cheek, Senior Cybercrime Researcher
Almost every major intrusion at a US hospital in the last three years began with something small and public. A VPN gateway someone forgot to patch. An Outlook Web Access page sitting on a routable address. A remote-access protocol exposed to the open internet because it was quicker than standing up a jump host.
What the adversary did next in each instance varied: some encrypted and demanded payment, some exfiltrated patient records and sold them, and some did both, then leaked the data when the ransom did not land. A smaller but growing set, often state-aligned, wiped systems outright. The front door is the same in all three cases. It shows up in public scan data, indexed and searchable, free to anyone with a browser.
We pulled together that scan data for the US healthcare sector to see what the attacker sees. The result is a sector-wide picture of 15,885 unique internet-facing hosts across 1,175 distinct organizations in all 50 states. No asset was probed, authenticated against, or exploited. Every finding in this article is reachable today by any adversary with basic tooling, and the same queries that produced it are running continuously against US hospitals, clinics, and health systems right now, by parties with far less friendly intentions.
The headline numbers are worth sitting with. 489 hosts carry at least one CVE finding. 311 of those carry a critical-rated CVE, with a CVSS (Common Vulnerability Scoring System, an open, industry-standard framework used to assess and rate the severity of software vulnerabilities) score of 9.0 or higher. 175 distinct critical vulnerabilities were identified across the sector, many of them in the same edge appliances and web stacks that have featured in published incident reports for recent attacks. And 77 hosts across 24 organizations match the exact tradecraft called out in a joint CISA, FBI, NSA, EPA, DOE, and CNMF advisory issued on April 7, 2026.
Key Findings About US Healthcare
- 311 healthcare organizations have at least one critical rated CVE (CVSS 9.0) spanning 175 distinct vulnerabilities. Many are in the same software and network equipment linked to major breaches at various healthcare organizations.
- The most widespread issue involves Apache HTTP Server, a common web technology. Three related vulnerabilities in its URL-rewriting feature each appear on 115 separate healthcare systems, making them among the most pervasive risks in the dataset.
- Across 24 healthcare organizations, 77 systems show the exact attack patterns flagged in a recent warning issued jointly by the FBI, NSA, CISA, and several other federal agencies. This includes four Rockwell Automation EtherNet/IP endpoints exposed directly on the public internet at a single healthcare organization, precisely the fingerprint the advisory warns about.
- One finding stands out: a single healthcare organization has four industrial control systems, which is the type used to manage physical equipment like pumps, valves, and building systems, directly accessible on the public internet. That matches precisely the kind of exposure the federal advisory warns is being actively exploited.
- Over 1,000 healthcare hosts are running cleartext FTP on the public internet, and 2,760 are running plain HTTP. Additionally, 1,199 hosts expose SNMP (which without v3 authentication leaks network topology and credentials), 21 expose RDP directly, 33 expose SMB, and six hosts expose DICOM medical imaging protocols on routable addresses. DICOM was not designed for untrusted networks; any direct exposure carries PHI.
- Maryland has the highest critical-CVE concentration at 12% of observed hosts, followed by Connecticut (5.6%) and Ohio (5.1%). California and Texas have the largest raw host counts but lower critical rates (2.0% and 0.5% respectively), suggesting breadth of observation rather than elevated relative risk.
- The exposure classes identified in this research are the documented step-one entry points for every major healthcare breach in recent years. Recent attacks all began with external, reachable, visible entry points of the same types cataloged here. The clinical consequences of these breaches included ambulance diversions, surgery delays, medication errors, and the theft of an estimated one-third of all American medical records in a single dataset.
What Would an Adversary Find if They Ran This Query Against Your Organization Tomorrow?
Get a non-intrusive, organization-specific exposure review completed in days — a prioritized remediation backlog mapped to the hosts, products, and services an adversary sees today.
The Advisory That Should Have Been Read More Carefully
AA26-097A is a joint advisory issued on April 7, 2026 by CISA, the FBI, the NSA, the EPA, the DOE, and CNMF. This warns of Iranian-affiliated APT activity targeting internet-facing operational technology across US critical infrastructure, with specific attention to Rockwell Automation and Allen-Bradley programmable logic controllers. The activity is attributed to IRGC-CEC-linked operators tracked as CyberAv3ngers, Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5691. Several of these groups have a documented track record of destructive operations rather than financially motivated ones. CyberAv3ngers has deployed wipers and OT-manipulation tooling against water, energy, and manufacturing targets. The operational goal is disruption, not extortion, and there is no ransom note to negotiate.
The advisory is written with water, energy, and manufacturing in mind, but healthcare is a designated Critical Infrastructure sector and the same exposure profile applies. Connected medical devices, building management systems, HVAC, and clinical engineering stacks all live on the same entry surface the advisory describes.
Testing the Advisory Against Healthcare Scan Data
The fingerprint is straightforward to test. Rockwell and Allen-Bradley devices talk EtherNet/IP on port 44818 and produce distinctive product banners. VNC exposes remote access to HMI displays and engineering workstations on port 5900. Telnet carries cleartext administrative sessions. A wider set of OT protocols, including Modbus, DNP3, BACnet, Siemens S7, Niagara Fox, and IEC-104, sit on their own well-known ports.
Running those queries across the US healthcare attack surface, two findings stand out.
- In North Carolina, a single healthcare organization is exposing four Rockwell Automation and Allen-Bradley EtherNet/IP endpoints directly on the public internet. That is the precise fingerprint the advisory warns about, in a sector the advisory implicitly covers.
- In Connecticut, a single organization is exposing 45 VNC endpoints to the public internet. VNC alone does not confirm OT involvement, because the protocol lives on both IT and OT assets and banner-based detection cannot always tell them apart. But 45 instances from one owning organization is a pool of reachable remote-access sessions that deserves immediate validation against internal asset inventory.
A note on naming: The specific organizations behind these findings are not named in this blog, which is a deliberate editorial choice. Identifying them by name would shorten the distance between reading this article and targeting the hosts it describes. The identities are sitting in the same public scan data that produced the rest of the research, which means any adversary who wants them can have them within minutes. The defenders at those organizations deserve the time to remediate without a published article acting as a waypoint for the next attacker, and that principle applies across the following findings.
The broader table of AA26-097A-aligned indicators across the sector include:
| City | State | Rockwell | VNC | Telnet | Other OT | Hosts |
|---|---|---|---|---|---|---|
| Farmington | CT | – | 45 | – | – | 45 |
| Morehead City | NC | 4 | – | – | – | 4 |
| Jay | OK | – | – | 3 | – | 3 |
| New Orleans | LA | – | 2 | – | 2 | 2 |
| Indianapolis | IN | – | – | – | 2 | 2 |
| Kansas City | MO | – | – | – | 2 | 2 |
| 19 other cities | various | – | 1 | 13 | 5 | 19 |
| Total | 4 | 48 | 16 | 11 | 77 |
77 hosts across 24 organizations show at least one AA26-097A-aligned indicator. These are indicators, not confirmed OT exposures. Validation against internal asset inventory is required before treating any single row as a confirmed finding.
How Exposure Becomes an Incident
The indicators above are step one of a documented attack sequence. The path from a visible service to a clinical disruption has been published in detail by CISA, Mandiant, Microsoft, and the FBI, across advisories covering Rhysida, BlackCat, LockBit, BianLian, Scattered Spider, and the Iranian-affiliated clusters named in AA26-097A. The opening moves are identical across all of them.
External reconnaissance identifies exposed edge devices, VPN gateways, web applications, or remote-access protocols, using the same open-source data this research is built on. The adversary targets a known CVE, a default or stolen credential, or a protocol misconfiguration, and gains an authenticated foothold inside the network. They move laterally, elevate privileges, disable backups and security tooling, and identify clinical and billing systems. From there the path forks into three branches:
How Exposure Becomes an Incident
The indicators above are step one of a documented attack sequence. The path from a visible service to a clinical disruption has been published in detail by CISA, Mandiant, Microsoft, and the FBI, across advisories covering Rhysida, BlackCat, LockBit, BianLian, Scattered Spider, and the Iranian-affiliated clusters named in AA26-097A. The opening moves are identical across all of them.
External reconnaissance identifies exposed edge devices, VPN gateways, web applications, or remote-access protocols, using the same open-source data this research is built on. The adversary targets a known CVE, a default or stolen credential, or a protocol misconfiguration, and gains an authenticated foothold inside the network. They move laterally, elevate privileges, disable backups and security tooling, and identify clinical and billing systems. From there the path forks into three branches:
Branch 1: Encryption and Extortion
Financially motivated operators stage data for exfiltration, encrypt, and extort. The double-extortion model is now the norm, because stolen patient data pressures the victim into paying even when backups are clean. Initial access to encryption typically runs in 24 to 72 hours.
Branch 2: Exfiltration Only
No encryption, no ransom note, no obvious disruption. The data is sold on cybercrime markets, reused for medical identity fraud, or held for a later leak. Healthcare records are the most valuable category on most illicit markets precisely because they combine PII, insurance details, and clinical history in a single record, which cannot be reissued the way a credit card number can. These operations can run for weeks or months undetected.
Branch 3: Destructive Operations
Wipers, firmware bricking, and deliberate corruption of databases and EHR backing stores. This is the pattern AA26-097A warns about. Recovery is not a matter of paying a ransom. Recovery depends on whether the organization had offline backups that survived, and how long restoration takes with clinical operations halted. Destructive operations execute in minutes once the operator triggers them.
Patient diversion, surgery cancellations, and EHR downtime begin within the same window in all three cases.
The Exposed Entry Points
The exposure classes this research surfaces are the documented step-one entry points for every stage of that sequence:
| Product / Service | Hosts |
|---|---|
| F5 BIG-IP | 852 |
| Citrix NetScaler / ADC | 310 |
| Check Point | 138 |
| SonicWall | 57 |
| Outlook Web Access | 49 |
| Cisco ASA SSL VPN | 43 |
| FortiGate | 27 |
| Microsoft Exchange (direct) | 25 |
| Ivanti Connect Secure | 8 |
Presence on that list does not imply vulnerability. It does imply an attack surface requiring aggressive patching cadence and MFA enforcement. Every product in the top half of the list has been the subject of named vulnerabilities exploited in the wild within the last 18 months.
Protocol-Level Exposure
| Protocol | Hosts |
|---|---|
| Plain HTTP | 2,760 |
| SNMP (without v3 auth) | 1,199 |
| FTP (cleartext) | 1,045 |
| IMAP (cleartext) | 502 |
| POP3 (cleartext) | 481 |
| SMB | 33 |
| RDP (direct) | 21 |
| DICOM (port 104 / 11112) | 6 |
DICOM and HL7 were not designed for untrusted networks. Any direct exposure on a public IP is a significant finding because these protocols carry protected health information (PHI).
Where the Critical Findings Cluster
Raw host counts tell you where exposure is concentrated. Critical-CVE rate tells you where the risk concentrates. The two do not always match.
| State | Hosts | Hosts with Vulns | Hosts with Criticals | Critical Rate |
|---|---|---|---|---|
| Maryland | 291 | 38 | 35 | 12.0% |
| Connecticut | 661 | 65 | 37 | 5.6% |
| Ohio | 547 | 35 | 28 | 5.1% |
| Massachusetts | 298 | 27 | 10 | 3.4% |
| Indiana | 321 | 10 | 9 | 2.8% |
| California | 2,675 | 64 | 53 | 2.0% |
| New York | 1,001 | 29 | 17 | 1.7% |
| Florida | 782 | 22 | 12 | 1.5% |
| Michigan | 334 | 12 | 5 | 1.5% |
| Illinois | 496 | 12 | 7 | 1.4% |
Top 10 US states by critical-CVE concentration among observed healthcare hosts
Maryland stands out: 12% of observed hosts in the state carry at least one critical-rated vulnerability. California and Texas have the largest raw host counts, but their critical rates sit at 2.0% and 0.5% respectively, which suggests the breadth of the observation rather than elevated relative risk.
Banner-based matching can inflate counts where one vulnerable web stack is shared across many locations behind a single owning organization, so state totals should be read as a triage signal, not a scorecard.
At the CVE level, the concentration is around Apache HTTP Server. Fifteen of the most prevalent CVEs in the data are Apache issues, with the mod_rewrite cluster (CVE-2024-38474, 38475, 38476) appearing on 115 hosts each and public PoCs and mass exploitation activity already reported. The legacy tail includes CVE-2011-2688 and CVE-2013-4365 showing up on 164 hosts each, which is the signature of long-lived web fronts and appliances that have not been refreshed in over a decade.
Why This Is a Patient Safety Issue, Not an IT Backlog
The exposure classes in this research are the documented initial-access vectors in every branch of the sequence above. Here are some examples of consequences of cybersecurity attacks:
- Lost pharmacy and claims processing across the US following an edge-device compromise, with weeks of disruption to prescription fulfillment, compounded by the theft of an estimated one-third of all American medical records in a single data set
- Diverted ambulances, delayed surgeries, and reverted to paper charting across 140 hospitals
- Experienced delayed stroke care, medication errors, and cancelled procedures across 140 facilities
- Lost the records of 11 million patients in an exfiltration-only breach, with no encryption involved
In every case the entry point was external, reachable, and visible through the same class of open-source reconnaissance used to produce this research.
Clinical Consequences Compound Across All Three Outcomes
The clinical consequences compound across the three outcomes.
Encryption halts clinical operations immediately. Peer-reviewed research links hospital ransomware events to increased in-hospital mortality, longer lengths of stay, and drops in stroke and cardiac care performance across neighbouring facilities as patient load redistributes.
Exfiltration creates a longer tail of harm: HIPAA enforcement action, class-action litigation, medical identity fraud against individual patients, and the sale of PHI on markets where it is reused for insurance fraud and targeted phishing against vulnerable populations.
Destructive operations are the most dangerous of the three in patient safety terms, because the goal is not leverage. The goal is to take clinical systems offline and keep them offline. An EHR restored from a week-old backup is missing medication orders, allergy updates, and recent imaging. A patient arriving unconscious in an ER has no usable history. The wiper does not need to hit every hospital in a network to achieve operational impact. One facility offline for even an hour during a regional mass-casualty event is sufficient.
The Cost
IBM’s 2025 Cost of a Data Breach report places the average healthcare breach at $7.42 million is still the most expensive of any industry, and for the fourteenth consecutive year. Ransomware-specific studies show mean recovery times of 21 to 26 days. Recovery from destructive attacks, where it has been measured in other sectors, routinely runs into months.
The remediation cost of eliminating a single cleartext protocol, decommissioning a legacy web front, or replacing an unpatched edge device is trivial against any of these outcomes. The reframing that aligns clinical leaders, executives, and security teams is the one that treats exposure remediation as a patient safety priority rather than an IT backlog item.
What the Attacker Sees Tomorrow Morning
This research was assembled from publicly indexed scan data. Any external party, including ransomware affiliates, initial access brokers, and state-aligned operators, can perform the same queries and reach the same conclusions in the time it takes to run a search. AA26-097A describes adversaries doing exactly this against critical infrastructure today. The defensive implication is unavoidable. Internet-exposed healthcare services are being enumerated and triaged by hostile parties on a continuous basis, right now, without any need for the adversary to touch the target environment.
The sector-wide view in this article is an average. It tells you what the US healthcare footprint looks like in aggregate. It does not tell you what your external attack surface looks like. The single most important question this research raises is not answered in this article:
What would a full external reconnaissance, run against your own organization tomorrow morning by a hostile party, reveal that this sector-wide view has not?
What Would an Adversary Find if They Ran This Query Against Your Organization Tomorrow?
Get a non-intrusive, organization-specific exposure review completed in days — a prioritized remediation backlog mapped to the hosts, products, and services an adversary sees today.
Methodology
All findings are produced from passive service banner data. No active scanning, probing, authentication, or exploitation of any kind was performed against any host referenced in this article. No traffic was sent to in-scope assets as part of this analysis.
Organizations are not named. Findings are aggregated to sector, state, and city level. Flare Research holds the underlying asset-level data, which identifies specific owning organizations behind every finding in this article. Publishing that data would hand adversaries a pre-sorted target list. Withholding it does not make the hosts safer, because the same data is available to any adversary willing to run the same queries, but it does avoid giving published amplification to a target list that an attacker would otherwise have to assemble on their own. Defenders at named organizations can request a direct review against their own infrastructure on request.
Findings should be treated as indicators, not confirmed exploitable conditions. Remote vulnerability detection relies on banner fingerprinting, version strings, and service behaviour, all of which can be inaccurate. False positives are expected. Back-ported security patches in enterprise Linux distributions preserve old version strings after the vulnerability is fixed. Web Application Firewalls and reverse proxies terminate external traffic and may mask the actual origin server. Load balancers and CDNs share banners across many backend services. Organization and location attribution is based on autonomous system registration, reverse DNS, and certificate metadata, which can be inaccurate or stale. Validation against authenticated scanning, asset inventory, and patch records is required before acting on any specific CVE call-out.
