The healthcare sector remains a major target in a year of incessant cyberattacks against the United States. Ransomware attacks on healthcare organizations have attained catastrophic frequency and financial devastation.
A Comparitech research report on the average downtime caused by ransomware attacks states, "While ransomware attacks, in general, are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker or the ransomware is removed by IT specialists.”
The report also shows that since 2018, there have been 654 successful ransomware attacks on US healthcare providers, compromising nearly 89 million patient records.
The financial cost is equally staggering, with the average healthcare organization losing $1.9 million daily in downtime alone, adding up to a record $21.9 billion industry-wide.
By the numbers
- 17 days: Average days of downtime per ransomware attack across all years.
- 26.2 million: The number of records breached in 2023, which is the highest for any year.
- 143 attacks: The record number of incidents in 2023
- $4,000 to $10 million: The range for reported ransom demands.
- $1.18 million: The average ransom demand for 55 documented attacks.
- $10 million: The largest known ransom demand-OrthoVirginia, 2021.
- $1.1 billion to $1.6 billion: The estimated cost of the Ascension attack in 2024, including disruptions and recovery.
Unpacking the billion-dollar nightmare
One of the most striking examples of this devastation occurred in May 2024 when Ascension, a healthcare network with about 140 hospitals, suffered a ransomware attack. The attack disrupted electronic health records, delayed lab results, and even caused medication errors.
Other high-profile cases also show the financial and operational havoc caused by ransomware. In 2022, CommonSpirit Health faced a $160 million recovery bill following an October attack. That same year, Universal Health Services reported $67 million in losses after a ransomware attack disrupted operations for three weeks.
Go deeper: Ascension Health falls victim to cyberattack, impacting 13.4 million
How ransomware groups have evolved
Ransomware groups have become more sophisticated and aggressive over time. In 2023, the LockBit group dominated the ransomware landscape alongside newcomers like ALPHV/BlackCat and Karakurt. BianLian became the most active threat actor in 2024, showing how fluid cybercrime is.
These groups are demanding even higher ransoms than ever before. In 2021 for instance, the Ryuk ransomware group demanded $10 million from OrthoVirginia, while Acadian Ambulance suffered a $7 million demand in 2024.
Most organizations have refused to pay despite the enormous pressure to do so, realizing that paying the ransom only encourages more attacks. Like, when Lehigh Valley Health Network refused to pay a $5 million ransom in 2023 even though the breach affected almost 250,000 people.
A national crisis
California has the highest number of healthcare providers and has taken the brunt of such attacks at 66 since 2018, followed by Texas with 49 and New York with 47. The financial and operational consequences also fall heavier on these states.
However, this doesn’t exempt smaller states like North Dakota and South Dakota also facing ransomware attacks. The report adds, “Patients whose data is compromised could live in any state and aren’t necessarily from the same state as the breached organization.”
Ultimately, these findings show that ransomware knows no boundaries and no healthcare provider is immune.
The way forward
It is time for the health sector to care about cybersecurity as part of patient care. Policymakers should also play a role, with federal funding of cybersecurity initiatives, stricter regulations, and stronger penalties against ransomware groups.
Read more: How to develop HIPAA compliance policies and procedures
FAQs
What is a ransomware attack?
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates, who handle protected health information (PHI).
How can providers make Google Workspace email HIPAA compliant?
Providers must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform to protect patient information.
Learn more: How to set up HIPAA compliant emails on Google
