Ransomware attacks on US health organizations

In 2020, 92 individual ransomware attacks affected over 600 separate clinics, hospitals, and organizations and more than 18 million patient records. We estimate the cost of these attacks to be almost $21 billion.

One of the 92 attacks was the one on Blackbaud, a cloud software provider. To date, 100 US healthcare organizations are noted as having been impacted by this attack, affecting over 12.3 million patient records (we provide a full breakdown below).

Since 2016, ransomware attacks have been a huge cause for concern for hospitals all over the world. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists). Add a global pandemic into the mix and you’ve got an even bigger problem that leads to severe delays and costs to healthcare organizations, patients going untreated, and canceled appointments.

But what is the true cost of ransomware attacks on US healthcare organizations?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting healthcare organizations since 2016. However, breaches are only published by the U.S. Department of Health Services if they affect over 500 people. While those lower than 500 also need reporting, they often go under the radar as they aren’t publicly disclosed. The public might only find out if the healthcare organization undergoes severe disruption and makes news. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different healthcare resources—specialist IT news, data breach reports, and the Health Services reporting tool—to collate as much data as possible on ransomware attacks on US healthcare providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to healthcare organizations. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

  • 92 individual ransomware attacks on healthcare organizations – a 60 percent increase from 2019
  • Over 600 separate hospitals, clinics, and organizations potentially affected (plus a further 100 in the Blackbaud attack)
  • 18,069,012 individual patients/records affected – a 470 percent increase from 2019
  • Almost 50% of Maine’s population was impacted by ransomware attacks in 2020
  • Ransomware amounts varied from $300,000 to $1.14m
  • Downtime varied from minimal impact due to frequent data backups to weeks or months of paper-only systems. One healthcare organization even lost all of the patient records involved in its attack
  • Based on the average ransom demand in 2020 being $169,446 (according to the average across all of the quarterly reports from Coveware data), hackers demanded an estimated $15.6m in ransoms
  • Hackers received at least $2,112,744 in ransom payments (plus the undisclosed amount paid by Blackbaud and several other attacks)
  • The overall cost of these attacks is estimated at around $20.8 billion

There has also been a growing trend of double-extortion attempts in which hackers not only lock computers with a message demanding a ransom but also contact victims with proof of the data collected. Posting the stolen data onto their websites, this increases the pressure on organizations to pay the ransom fee. Examples include Beacon Health Solutions, Wilmington Surgical Associates, and Riverside Community Care.

Which state had the most ransomware attacks on healthcare providers in 2020?

As we can see from the above map, California had the most ransomware attacks, accounting for 12 percent of the attacks in 2020. But with such a large concentration of healthcare providers within this state, perhaps this isn’t too much of a surprise.

Florida had the second-highest number (8), followed by New York (6) and Texas (5). 20 states aren’t recorded as having any individual attacks but only 11 of these weren’t impacted by the Blackbaud breach.

Based on the number of records impacted by these ransomware attacks (including the records affected by the Blackbaud attack), the most heavily-affected states change.

As we can see, Michigan had the most patient records affected in 2020. And all of these records come from the Blackbaud attack which affected two Michigan-based healthcare organizations (while there were two separate attacks in Michigan, neither of these have recorded patient figures, likely due to them affecting less than 500 patients).

Trinity Health, which is headquartered in Michigan, suffered the largest number of impacted patient records of any healthcare organization involved in the Blackbaud attack. Noted as having over 3.3 million patients affected, the cyberattack could have given hackers access to personal information from the organization’s donor database. However, as Trinity Health is spread across numerous states, a number of these patients will live in different states.

Meanwhile, Arizona’s high figure comes not from the Blackbaud breach but from another large-scale breach at managed care firm, Magellan. Impacting nearly 1.7m records, this is 2020’s second-largest ransomware attack based on the number of records affected (after Blackbaud). Again, not all patients will be from Arizona.

Nearly 50 percent of residents in Maine were impacted by ransomware attacks in 2020

Based on the number of records affected in relation to the population of each state, the highest percentage of a state’s population to be affected by healthcare ransomware attacks was in Maine. And unlike Michigan where the records affected may relate to residents in other states, Maine’s two impacted organizations are located solely in Maine.

Both the Opportunity Alliance (4,500 records affected) and Northern Light Health (657,392 records affected) were involved in the Blackbaud ransomware attack. Based on these figures, 49.42 percent of Maine’s 1.34m residents could have been impacted by this one attack.

100 US healthcare organizations impacted by Blackbaud ransomware attack

In May 2020, Blackbaud, a cloud software provider, was the victim of a ransomware attack. Since then, a large number of US healthcare organizations have released statements about how their systems and records may have been infiltrated by the hackers.

Based on our research, we calculate the current number of organizations affected by the Blackbaud breach as being 100. This has impacted 12,328,221 records and counting.

How much did these ransomware attacks cost healthcare organizations in 2020?

As mentioned previously, ransom demands varied dramatically from $300,000 to $1.4 million. Plus, only a handful of providers publicly release the figures involved (we could only find figures for 3 out of the 91 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.

What we do know, however, is the following:

  • In March 2020, Champaign-Urbana Public Health District in Illinois paid “more than” $300,000 as the district didn’t have time to wait for the data to be saved or restored.
  • In June 2020, the University of California San Francisco (School of Medicine) paid $1.14m to NetWalker in order to regain access to its data which was needed to “serve the public” with its COVID-19 research.
  • In September 2020, the University Hospital New Jersey paid $672,744 (the equivalent of 61.90 Bitcoins) in order to prevent hackers from publishing stolen data. The initial ransom was $1.7m.

Adding in downtime

While it is difficult to ascertain just how much is lost in these attacks to paid ransom demands, there is a cost that affects the majority of attacked organizations–downtime.

As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.

According to Coveware, the average amount of time lost to downtime was 15, 16, 19, or 21 days for Q1, Q2, Q3, or Q4 of 2020, respectively. This means, in just a year, the downtime caused by these attacks has increased by nearly a week.

Based on these figures and the quarter in which the attacks took place, ransomware attacks may have caused 1,669 days (40,056) of downtime to healthcare organizations in 2020.

So how much could this have cost healthcare providers?

A 2017 estimate places the average cost per minute of downtime at $8,662. This would mean the cost of downtime to healthcare organizations in 2020 was around $20.8 billion. This is over double what the estimate is for 2019 ($8.46 billion) and more than 10 times the estimate for 2018 ($1.95 billion).

These figures, while astronomical, are in line with some of the costs organizations have disclosed:

  • Universal Health Services recently reported that it lost $67 million after its Ryuk ransomware attack in September 2020. It took 3 weeks for the organization to get its 400 US health system sites back online.
  • Florida Orthopedic Institute faces a $99 million lawsuit after its ransomware attack in April 2020 exposed patient data (which lawyers argue wasn’t adequately protected).
  • Park DuValle Community Health Center revealed how its ransomware attack in June 2019 cost $1 million. This included the $70,000 ransom (6 BTC) the center had to pay after being unable to access data for two months.
  • NEO Urology in June 2019 not only paid $75,000 in ransom but also suffered revenue losses of $30,000 to $50,000 per day.
  • Erie County Medical Center didn’t pay the ransom of $30,000 to have its patients’ data released back to them but did spend almost $10 million recovering from the attack of April 2017. Officials also anticipated that $250,000 to $400,000 extra would be required each month to increase employee awareness and improve technology defenses.

Key findings from 2016 to 2020

Our team has logged all of the ransomware attacks from January 2016 to December 2020. During this time:

  • There have been 270 individual ransomware attacks on healthcare organizations
  • Around 2,100 hospitals, clinics, and organizations have been affected (plus a further 100 in the Blackbaud attack)
  • Over 25 million patients have been affected
  • Hackers have received around $3.3m (but this is based on a handful of confirmed reports, with many ransom payments and/or amounts going undisclosed)
  • The overall cost of these attacks is estimated at over $31 billion

How does 2020 compare to previous years?

Ransomware started trending toward healthcare companies in 2016. But from 2016 to 2019 the number of attacks rose and fell. Then, in 2020, they skyrocketed – and so did the number of records impacted (thanks, primarily, to the Blackbaud breach).

Hospital ransomware attacks by year

In 2016, there were 36 ransomware attacks on US healthcare organizations, followed by 53 in 2017. In 2018, the figure dipped again to 31, making this the lowest year for attacks overall. In 2019 the figures rose again to 50 before rising even further to 91 in 2020.

These waves of attacks may relate to different types of ransomware being developed. However, with many organizations failing to disclose the type of ransomware used in the attack, it is difficult to know if this is the case.

From those that did reveal the type of ransomware used, we do know that Locky was particularly popular throughout 2016. SamSam was also popular from 2016 to 2018. In 2020, Conti was the most commonly noted, along with Maze and NetWalker.

So why the vast increase in 2020?

With the onset of the COVID-19 pandemic in March 2020, the strain on healthcare organizations was vast. This could have made them even more vulnerable to attacks as resources were thinly spread to try and cope with increasing demands. It perhaps also added to the incentive for hackers as they knew hospitals now more than ever could ill afford system downtime.

As well as the monetary cost of downtime to healthcare organizations, there’s also the even more worrying cost of patients’ health and even lives. While it would be hard to ascertain the overall impact on patients, one study does suggest that data breaches (as a whole) increase the 30-day mortality rate for heart attacks, equating to 36 more deaths per 10,000 heart attacks each year.

The true cost of ransomware to US health providers

As we have seen, it is difficult to get a full picture of how costly ransomware attacks are on US health providers due to the lack of information released about them. We estimate ransomware attacks have cost healthcare organizations in the US over $31 billion over the last three years – at least. With attacks not being publicized if they affect under 500 patients and ransom amounts being largely undeclared, these figures are likely to be much higher.

What’s in store for the future?

With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.

Methodology

Our research found 270 ransomware attacks in total affecting 2,196 hospitals, clinics, and other health providers. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.

Where possible, each attack was assigned to a state. In some cases, the state assigned may be where the head office of the company is located. This means some of the patients and/or clinics involved in the attack may have been located in other states.

In the case of Blackbaud, this has been logged as one ransomware attack. But due to the vast scale of this attack and the large number of organizations and records affected, the record figures of each affected organization have been assigned to the state in which they’re located (or, if spread across multiple states, to the head office of their organization – as above).

See also: The Best Ransomware Protection Tools

Researchers: George Moody, Rebecca Moody

Sources

https://healthitsecurity.com/topic/latest-health-data-breaches

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://www.census.gov

https://www.coveware.com/ransomware-blog