Flare 2026 Report: Healthcare Credential Exposure Rising

Healthcare organizations face a rapidly escalating threat: infostealer malware is harvesting credentials at an unprecedented scale, and patient records are increasingly at risk with every compromised device.

Cybercriminals are targeting the healthcare sector with growing precision. A single infected endpoint can expose an entire hospital's infrastructure — from electronic health records to medication dispensing systems. The latest research from Flare, a leader in Threat Exposure Management, quantifies this threat with striking clarity and provides a critical benchmark for CISOs and IT security leaders heading into the second half of 2026.

What was announced

On May 19, 2026, Flare released The State of Healthcare Credential Exposure in 2026, a comprehensive threat intelligence report analyzing more than 154,000 stealer logs containing medical, healthcare, and hospital services access data. The findings are significant:

• 74% of compromised devices contained credentials for electronic health record (EHR) and electronic medical records (EMR) systems, exposing social security numbers, diagnoses, lab results, medications, and insurance information.
• 33% year-over-year increase in healthcare credential-driven attacks, reflecting cybercriminals' intensifying focus on clinical systems.
• Nearly 61,000 healthcare-related logs have surfaced on underground platforms over the past two years, granting attackers direct access to sensitive systems.
• Approximately 2,900 devices with healthcare access were compromised and shared on criminal marketplaces every month in 2025 — over 34,800 annually.
• The United States accounts for 48% of healthcare-exposed logs, making it the most targeted country.
• 900 logs contained access to medication dispensing and tracking platforms including Omnicell, BD Pyxis, ScriptPro, and Bluesight — systems managing the physical dispensing of controlled substances such as opioids and sedatives in hospital units.

"Healthcare credential exposure is not only increasing, but the type of access found in these logs makes each compromise particularly significant. A single infected device could hand an attacker the keys to understand, map, and exploit an entire hospital's infrastructure, which can have a catastrophic impact."

Why this matters

For CIOs, CISOs, and IT directors across the CEE region and globally, this report signals an urgent need to rethink credential exposure monitoring within healthcare environments. Several structural factors make this threat particularly acute:

• Infostealer malware as a systemic risk: Infostealers harvest credentials and session tokens, packaging them into stealer logs sold across cybercrime forums. Once a log containing healthcare access is traded, the window for exploitation opens immediately.
• EHR and EMR systems as high-value targets: These platforms are the backbone of clinical operations. Credential compromise at this level translates directly into potential HIPAA violations, regulatory penalties, and reputational damage.
• Medication system exposure: Access to platforms like BD Pyxis or Omnicell goes beyond data — it touches the physical supply chain of controlled substances, representing a patient safety risk, not just a data breach.
• Accelerating attack frequency: With nearly 2,900 compromised devices per month in 2025, the volume of available healthcare credentials on underground markets is growing faster than most organizations can detect and respond.
• Time to detection remains the critical gap: The longer a compromised credential goes undetected, the deeper the potential intrusion. Continuous stealer log monitoring directly reduces this window.

Technical details

• Data source: Analysis of 154,000+ stealer logs containing medical, healthcare, and hospital services access credentials.
• EHR/EMR exposure rate: 73.9% of infected devices contained access to electronic health record or electronic medical record systems.
• Underground platform activity: ~61,000 healthcare-related logs identified on dark web and cybercrime forums over two years.
• Monthly compromise volume: ~2,900 healthcare-access devices compromised and listed on criminal marketplaces monthly (2025 data).
• Geographic concentration: 48% of exposed logs attributed to US-based healthcare organizations.
• Medication platform exposure: 900 logs tied to Omnicell, BD Pyxis, ScriptPro, and Bluesight systems managing controlled substance dispensing.
• Year-over-year trend: 33% increase in healthcare stealer log volume, indicating sustained and growing criminal interest in clinical credentials.
• Flare platform capability: Continuous monitoring of clear web, dark web, and cybercrime forums; automated stealer log detection and alerting for healthcare-sector clients.

Softprom and Flare

Softprom is the official distributor of Flare in the CEE region. As a trusted distribution partner, Softprom provides access to Flare's Threat Exposure Management platform, enabling regional organizations to detect credential exposures across the clear and dark web before attackers can exploit them.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.