What You Should Know

• The Cyber Threat Surge: In its newly released report, The State of Healthcare Credential Exposure in 2026, Threat Exposure Management leader Flare documented a 33% year-over-year increase in compromised healthcare credentials.
• EHR Systems Compromised: Flare’s analysis of over 154,000 infostealer malware logs revealed that nearly 74% of infected healthcare devices contained credentials for Electronic Health Record (EHR) and Electronic Medical Record (EMR) systems.
• The U.S. as a Primary Target: The United States remains the most heavily targeted country globally, accounting for 48% of all healthcare-exposed logs surfaced on criminal marketplaces and illicit Telegram channels.
• Medication Systems at Risk: Researchers identified hundreds of logs containing direct access to physical medication dispensing and tracking platforms—including Omnicell, BD Pyxis, ScriptPro, and Bluesight—which manage controlled substances like opioids and sedatives.
• The Malware Mechanism: Infostealer malware operates by quietly harvesting credentials, browser data, and session cookies, packaging them into “stealer logs” that allow attackers to completely bypass traditional multi-factor authentication (MFA) via session hijacking.

---

Flare’s 2026 Report: A 33% Surge in Healthcare Credential Theft Targets the Medical Intelligence Layer

The digital transformation of the American healthcare system has created an unparalleled ecosystem of clinical and financial data. However, as hospital networks and health insurance plans aggressively expand their digital touchpoints, they are exposing a dangerous vulnerability that traditional perimeter defenses are failing to secure: the credentials of their own workforce.

According to a landmark report released by threat intelligence firm Flare, The State of Healthcare Credential Exposure in 2026, cybercriminals have shifted away from complex network-penetration exploits. Instead, they are increasingly buying their way into healthcare enterprises using stolen credentials harvested by infostealer malware.

Flare’s deep-web analysis of over 154,000 stealer logs found a staggering 33% year-over-year surge in healthcare-specific credential theft. This trend is accelerating even as general, cross-industry infostealer malware volumes experience a 32.2% decline, signaling that clinical access codes have become a highly targeted, premium commodity on underground marketplaces and illicit Telegram networks.

The EMR Vulnerability: Handing Over the Keys to Patient Data

Infostealer malware operates quietly on endpoint devices—frequently infecting clinician laptops, administrative workstations, or third-party vendor systems through phishing or compromised personal downloads. Once inside, the malware harvests stored passwords, autofill data, and active browser session cookies, packaging the data into “stealer logs”. Because session cookies are captured, attackers can mirror an authenticated user’s browser state, effectively bypassing standard Multi-Factor Authentication (MFA) protections.

The consequences of these compromises are deeply alarming for clinical privacy. Flare’s research revealed that 73.9% of all healthcare-exposed logs contained direct credentials for Electronic Health Record (EHR) and Electronic Medical Record (EMR) platforms. A single compromised credential can expose a vast repository of highly sensitive patient information, including:

• Social Security Numbers (SSNs) and financial billing details
• Private clinical diagnoses and specialized laboratory results
• Real-time medication lists and insurance enrollment data

Estelle Ruellan, threat intelligence researcher at Flare, warned that healthcare credential exposure is uniquely hazardous because of the systemic visibility it provides. A single infected device can hand a malicious actor the structural layout required to map, exploit, and completely disrupt an entire regional hospital network.

Hijacking the Physical Workflow: Medication and Supply Lines

The threat extends beyond digital data theft; it directly compromises the physical care environment. Flare’s threat intelligence team identified more than 900 highly detailed logs that contained direct access credentials for automated medication dispensing and tracking networks, including dominant industry platforms like Omnicell, BD Pyxis, ScriptPro, and Bluesight.

These platforms Electronic Health Record (EHR) and Electronic Medical Record (EMR) systems govern the physical inventory, auditing, and automated dispensing of prescription drugs right on the hospital floor, including highly regulated controlled substances such as opioids, paralytics, and heavy sedatives. Compromising the software layers backing these physical machines introduces catastrophic liabilities, allowing bad actors to potentially falsify inventory records, disrupt localized pharmacy supply chains, or intercept high-risk clinical workflows.

This systemic vulnerability explains why the United States has emerged as the global epicenter for medical credential theft, accounting for 48% of all healthcare-exposed logs worldwide. On average, roughly 2,900 devices tied directly to American healthcare access are actively compromised and cataloged on cybercrime forums every single month.

Cyber Resilience Meets Capital Realism

The findings from Flare’s 2026 report land at a critical crossroads for healthcare technology leadership. Recent market data highlights a massive 40% year-over-year contraction in traditional acute care EHR purchasing energy, as hospital systems aggressively freeze spending on legacy core software upgrades. Executives are instead reallocating limited capital to fund the Medical Intelligence Layer—advanced AI scheduling tools, remote patient monitoring platforms, and automated clinical workflows that promise immediate operational efficiency and workforce relief.

However, this rapid proliferation of specialized software-as-a-service (SaaS) applications, combined with the fact that nearly 80% of healthcare plans and providers are co-developing AI capabilities with external vendors, dramatically multiplies the enterprise attack surface. Every new vendor portal, every external AI agent, and every remote clinical integration represents a new set of credentials that an infostealer can harvest.

For the modern healthcare C-suite, the takeaway is clear: you cannot protect an AI-driven system of action with a legacy cybersecurity framework. If three out of four infected devices are actively leaking core EMR access, then perimeter defense is an illusion. Achieving true Return on AI Investment (ROAI™) requires an equal commitment to continuous credential exposure monitoring and zero-trust session validation. In an era where clinical documentation and operations run at digital speed, securing the human credentials that unlock the machine has become an absolute operational necessity.