Full Report
BakerHostetler’s annual report, which shares their experiences as a law firm representing data breach clients, is always one of my favorite reads, and their 2026 Data Security Incident Response Report does not disappoint. As always, it is chock-full of interesting statistics and commentary. In 2025, they represented 1,250 clients: 27% were from Healthcare (including pharma... Source
Analysis Summary
# Incident Report: BakerHostetler 2026 Data Security Incident Response Summary
## Executive Summary
This report summarizes the aggregate findings from 1,250 security incidents handled by BakerHostetler in 2025. The data reveals a significant pivot toward extortion-based attacks, with a 70% spike in average ransom demands and a growing trend of paying to prevent data publication rather than to obtain decryptors. Healthcare remains the most targeted and financially impacted sector, while third-party vendor risk accounted for a quarter of all incidents.
## Incident Details
- **Discovery Date:** Various (2025 Reporting Year)
- **Incident Date:** 2025
- **Affected Organizations:** 1,250 diverse clients
- **Sector:** Primarily Healthcare (27%), Finance (18%), and Professional Services (15%)
- **Geography:** Global (Represented by US-based law firm)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025
- **Vector:** Phishing (30% - Leading cause) and Unpatched Vulnerabilities (21% of known root causes)
- **Details:** AI is increasingly being utilized by threat actors to accelerate the speed and scale of these initial penetrations.
### Lateral Movement
- **Details:** Common in the 47% of cases classified as "Network Intrusions," involving the deployment of malware (17% of cases) to facilitate internal navigation.
### Data Exfiltration/Impact
- **Details:** 48% of all incidents involved confirmed data exfiltration or theft. This has become the primary leverage for extortion, surpassing the encryption of systems in terms of payment motivation.
### Detection & Response
- **Discovery:** Methods varied, but forensic investigation speeds improved in 2025.
- **Response Actions:** Organizations reduced the "time to notification" by 3 days compared to the previous year through faster forensics.
## Attack Methodology
- **Initial Access:** Phishing, exploited unpatched vulnerabilities.
- **Persistence:** Malware installation (17%).
- **Lateral Movement:** Network intrusion techniques (47% of incidents).
- **Exfiltration:** Systematic theft of sensitive data (48% of incidents).
- **Impact:** Ransomware deployment (27%), wire fraud/direct deposit fraud (13%), and data publication for extortion.
## Impact Assessment
- **Financial:** Average initial ransom demand: $4.2M. Average payment: $682,702. Healthcare average demands reached $18M+.
- **Data Breach:** High volume; 48% involved exfiltration.
- **Operational:** Significant disruption due to ransomware and network lockouts.
- **Reputational:** Massive increase in litigation; 14% of incidents led to class-action lawsuits.
## Indicators of Compromise
- **Network Indicators:** (Not specifically listed in the aggregate report summary, but associated with common Phishing and C2 infrastructure).
- **Behavioral Indicators:** High-volume data transfers (exfiltration), unauthorized access to email accounts (36% of cases), and negotiation patterns lasting 20–60 days.
## Response Actions
- **Containment:** Forensic investigations to stop unauthorized access.
- **Eradication:** Removal of malware and closing of entry points (patching).
- **Recovery:** Negotiation with threat actors (34% of victims paid), recovery from backups, and legal notification of affected parties.
## Lessons Learned
- **Extortion Shift:** Threat actors are prioritizing data theft over encryption. 43% of victims paid to prevent data leaks, while only 31% paid for decryptors.
- **Vendor Vulnerability:** 25% of breaches originated at a third-party vendor, highlighting a critical weakness in supply chain security.
- **Litigation Risk:** Lawsuit frequency is increasing, even for smaller breaches in large revenue organizations ($5B+).
## Recommendations
- **Enhance Vendor Management:** Implement more robust security audits and contractual requirements for third-party processors.
- **Prioritize Phishing Defense:** Since phishing remains the top vector, focus on MFA (Multi-Factor Authentication) and advanced email filtering.
- **Patch Management:** Address the 21% of network intrusions caused by unpatched vulnerabilities through automated scanning and rapid deployment.
- **Incident Preparedness:** Develop a clear strategy for ransom negotiations, as data suggests longer negotiation periods (20-60 days) yield significantly higher discounts.