Ransomware attacks on US health organizations

In 2021, 108 individual ransomware attacks affected 2,302 medical organizations, which impacted 19.76 million patient records. We estimate that these attacks cost medical entities almost $7.8 billion in downtime alone.

Since 2016, ransomware attacks have been a well-known threat to medical organizations. We saw a massive influx of attacks from the pandemic onwards. While ransomware attacks, in general, are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists). Add a global pandemic into the mix and you’ve got an even bigger problem that leads to severe delays and costs to healthcare organizations, patients going untreated, and canceled appointments.

For example, Scripps Health, a California-based non-profit operator with 5 hospitals and 19 outpatient clinics, suffered a ransomware attack in May 2021. The overall cost of the attack exceeded $112 million. Four hospitals had to re-route stroke and heart attack patients, and two hospitals also lost access to their electronic medical record system and offsite servers.

So, what is the true cost of these ransomware attacks across the healthcare sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2022?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting medical organizations since 2016. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the hospital/clinic has to acknowledge the breach due to disrupted systems or lost patient data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different healthcare resources— specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US healthcare providers. We then used all of the available data on downtime and ransom amounts to estimate a range for the likely cost of ransomware attacks on medical organizations. Due to the limitations of uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Please note: in this update, we have separated healthcare-based organizations, such as hospitals, clinics, pharmacies, and care homes from businesses that cater solely to the healthcare industry, e.g. pharmaceutical companies and medical manufacturers, Therefore, the focus of this study is on companies that primarily offer a healthcare service and directly deal with patients and their data. As a result, some figures may differ from previous versions of this study.

Key findings

In 2021:

  • 108 individual ransomware attacks on medical organizations–a slight increase from 2020 (103)
  • 2,302 separate hospitals/clinics/organizations were potentially affected–a 45 percent increase from 2020 (1,586)
  • 19,755,950 individual patient records were impacted–a 312 percent increase from 2020 (4,798,963)
  • Ransomware amounts varied from $250,000 to $5 million
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average, medical organizations lost nearly six days to downtime (5.78), which accounted for an estimated 624 total days of downtime
  • Hackers demanded up to $7 million across just three attacks and received payment in 3 out of 19 cases where the medical organizations disclosed whether or not they paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have)
  • The overall cost of these attacks is estimated at around $7.8 billion
  • Pysa, Avaddon, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)

Which state had the most ransomware attacks on medical organizations in 2021?

As we can see from the above map, California had the most ransomware attacks (13), accounting for 12 percent of the attacks in 2021. But with such a large concentration of healthcare providers within this state, perhaps this isn’t too much of a surprise. Texas was a close second with nine reported healthcare ransomware attacks in 2021.

It’s a similar picture for the number of records affected, too. California saw the most records impacted (just over 4 million in total). The majority of these records stem from the hack on SmileBrands, Inc. This attack, which was carried out by DarkSide, affected 2.6 million patient records. While it is unknown what the ransom amount was and whether or not it was paid, the criminal group did publish around 700GB worth of data online.

Texas also has a high number of records affected (1.85 million across 9 attacks) but Wisconsin was the second-highest state for impacted patients with 2.4 million in total. As a lower-populated state, this is perhaps more of a surprise. All of these breached records come from one single attack, too. In May 2021, Forefront Dermatology, S.C. was hit by Cuba ransomware, and patient files were accessed. In July 2021, Forefront Dermatology began notifying 2.4 million people that their records may have been among those accessed by attackers. However, it’s important to note (as with all of these attacks) that patients may have been from outside the company’s head office location–Wisconsin.

How much did these ransomware attacks cost medical organizations in 2021?

Ransom demands varied dramatically from $250,000 to $5 million. Plus, only a handful of providers publicly release the figures involved (we could only find a ransom demand figure for three out of the 108 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these, as it may incentivize further attacks.

Below are a few attacks where ransom amounts were acknowledged:

  • Allergy Partners suffered an attack whereby unknown hackers demanded $1.75 million in ransom. The medical practice claimed they did not pay the ransom, but did spend eight days restoring systems.
  • Hackers demanded an extortionate ransom of $5 million from UF Health Central Florida. UF Health Central Florida refused to comment on whether the ransom was paid or not but a data breach report was filed for 700,981 patients.
  • In October 2021, the threat actor ‘Groove’ demanded $250,000 from TriValley Primary Care. In an online chat, Groove demanded that the medical practice responded to its demands, however, there is no evidence that this occurred. It is unclear whether any ransom demand was paid but the Care’s website was unavailable for some time.

Adding in downtime

While it is difficult to ascertain just how much is lost in these attacks to paid ransom demands, there is a cost that affects the majority of attacked organizations–downtime.

As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.

According to the figures we did find for 11 of the attacks, medical entities suffered an average downtime of nearly 6 days (5.78) in 2021. Downtime relates to hospitals/clinics being shut and/or services being largely unavailable. Based on these figures, ransomware attacks may have caused 624 days (nearly 15,000 hours) of downtime.

So how much could this have cost medical providers?

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to medical organizations in 2021 was around $7.8 billion. While high, this is less than half of 2020’s figure of $18.8 billion.

Even though 2021 saw a higher number of attacks, entities suffered far more downtime in 2020 (14.7 days, on average). This much higher downtime figure in 2020 may stem from the onset of the pandemic and the chaos surrounding it, including staff working from home, IT providers perhaps being less readily available, and an increased number of patients.

These figures, while astronomical, are in line with some of the costs organizations have disclosed:

  • As mentioned above, Scripps Health reported that the total cost of their ransomware incident exceeded $112 million. This was the largest amount reported (by a facility reporting on total attack costs) from 2016 to the present day and stemmed primarily from loss of revenue.
  • SmileDirectClub estimated that its April 2021 ransomware attack could cost the company up to $15 million. While it did have insurance, the impact of the attack on its business operations and financial results were detrimental to its earnings.
  • Forefront Dermatology agreed to pay $3.7 million in September 2022 to resolve litigation from its 2021 attack, which affected 2.4 million patients.

Key findings from January 2016 to September 2022:

Our team has logged all of the ransomware attacks from January 2016 to September 2022. During this time:

  • 424 separate individual ransomware attacks have been carried out on medical organizations
  • 6,835 individual medical entities have been potentially impacted and nearly 35 million patient records affected
  • Medical organizations have suffered an estimated 4,602 days of downtime due to ransomware attacks
  • Ransom requests varied from $1,600 to $14 million
  • Hackers have demanded an estimated $436.5 million in ransom
  • Hackers have received at least $2.78 million in ransom payments with the average payment being $253,000
  • We estimate that downtime has cost medical organizations $57.4 billion

Ransomware attack costs on healthcare organizations by year

 TOTALS2022 (to September)202120202019201820172016
State# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)# of Attacks# of Locations Potentially Affected# of Patient Records AffectedCost of Downtime ($)
Alabama624402,322 907,805,318 000011072,095,558 0000321391,472 598,717,440 00002210,850 236,992,320 0000
Alaska2203,546 345,509,856 00000000111,538 183,357,216 1192,008 162,152,640 000000000000
Arizona11631,337,383 1,162,135,498 144737,448 292,498,416 45135,812 288,382,234 37452,295 404,134,272 00001510,465 52,387,776 0000221,363 124,732,800
Arkansas312141,146 485,210,592 0000000021113,146 366,714,432 0000000011128,000 118,496,160 0000
California501,037 5,787,288 5,898,738,845 11850,000 292,498,416 139814,010,921 1,127,085,581 1114178,258 2,024,413,344 722237,174 1,147,541,760 44141,029 209,551,104 44288,906 473,984,640 101181,000 623,664,000
Colorado12111349,858 1,768,087,440 117,130 292,498,416 000044303,956 637,384,608 31021,475 486,457,920 114,065 52,387,776 2226,381 236,992,320 116,851 62,366,400
Connecticut4481,299 560,050,272 000000001125,727 183,357,216 2231,994 324,305,280 1123,578 52,387,776 00000000
Delaware77235,663 1,075,820,400 113,500 292,498,416 000033136,087 550,071,648 00001150,000 52,387,776 1119,203 118,496,160 1126,873 62,366,400
District of Columbia110118,496,160 00000000000000000000110118,496,160 0000
Florida19762,004,030 2,616,582,312 211360,746 294,057,576 535823,353 360,477,792 826776,462 1,466,857,728 223,500 324,305,280 116,092 52,387,776 1133,877 118,496,160 0000
Georgia141721,994,694 1,956,433,968 310313,045 877,495,248 51561,482,054 360,477,792 225,600 366,714,432 00001116,000 52,387,776 22177,995 236,992,320 11062,366,400
Hawaii3340,800 286,635,974 000011072,095,558 0000110162,152,640 1140,800 52,387,776 00000000
Idaho11062,366,400 00000000000000000000000011062,366,400
Illinois11224795,620 1,407,110,717 1120292,498,416 4202740,291 231,504,077 3327,490 550,071,648 150162,152,640 1120,371 52,387,776 117,468 118,496,160 0000
Indiana15802,272,173 1,556,540,611 19362,833 292,498,416 6631,740,676 453,278,995 227,264 366,714,432 11160,000 162,152,640 331,400 157,163,328 0000220124,732,800
Iowa44578,995 405,132,134 000011527,378 72,095,558 00001111,617 162,152,640 1140,000 52,387,776 110118,496,160 0000
Kansas77128,309 677,798,035 00003325,008 216,286,675 00001117,214 162,152,640 00002286,087 236,992,320 11062,366,400
Kentucky66235,271 1,272,274,560 11190,209 810,763,200 000000002220,000 162,152,640 00002225,062 236,992,320 11062,366,400
Louisiana10929458,474 1,877,228,640 328501622,416,672 00004898321,030 812,010,528 22127,262 324,305,280 0000119,681 118,496,160 0000
Maine00000000000000000000000000000000
Maryland789134,313 1,065,966,509 000021350,000 144,191,117 36553,193 740,912,832 000000001131,120 118,496,160 110062,366,400
Massachusetts1136454,546 1,201,114,498 1161,541 292,498,416 616422,677 296,178,034 3313,900 550,071,648 0000000000001116,428 62,366,400
Michigan93891,620 1,401,123,542 11725,318 292,498,416 1443,071 72,095,558 41221,988 637,384,608 110162,152,640 0000241,243 236,992,320 0000
Minnesota717123,158 971,668,512 00000000255,282 357,983,136 2990,993 324,305,280 116,546 52,387,776 2220,337 236,992,320 0000
Mississippi433130,006 501,176,390 000012762,342 72,095,558 259,664 366,714,432 0000000000001158,000 62,366,400
Missouri1057407,512 1,438,917,581 2140584,996,832 229101,916 144,191,117 0000311259,000 486,457,920 2244,979 104,775,552 111,617 118,496,160 0000
Montana284,000 144,191,117 0000284,000 144,191,117 00000000000000000000
Nebraska58277,341 744,654,816 0000000014219,000 183,357,216 2248,000 324,305,280 00002210,341 236,992,320 0000
Nevada581,475,620 573,271,949 0000251,303,000 144,191,117 22168,722 366,714,432 00000000113,898 62,366,400 0000
New Hampshire34712,542 448,414,416 13710,461 292,498,416 19037,419,840 000000000000112,081 118,496,160 0000
New Jersey1659325,656 1,969,156,714 178,110 292,498,416 420192,941 288,382,234 4440,278 733,428,864 31924,176 349,251,840 00001116,474 118,496,160 3843,677 187,099,200
New Mexico419945,988 729,187,949 210101,541 584,996,832 29844,447 144,191,117 00000000000000000000
New York21791,733,523 2,873,968,445 11318,558 292,498,416 7301,192,253 504,668,909 71701,257,306,624 427222,712 648,610,560 13052,387,776 110118,496,160 0000
North Carolina10962493,130 1,770,332,630 3830214,128 877,495,248 212743,687 171,881,798 33234,390 550,071,648 000011052,387,776 11925118,496,160 0000
North Dakota00000000000000000000000000000000
Ohio12128274,279 1,416,091,478 112,763 292,498,416 175216,478 72,095,558 3822,378 385,424,352 339,319 498,931,200 3400104,775,552 00001123,341 62,366,400
Oklahoma713192,120 1,173,985,114 1138,239 760,870,080 511147,881 350,748,634 0000000000000000116,000 62,366,400
Oregon71311,173,371 1,017,944,381 196380,984 292,498,416 231790,387 144,191,117 220366,714,432 110162,152,640 112,000 52,387,776 00000000
Pennsylvania154661,224,679 1,978,885,872 12575,628 292,498,416 518565,485 360,477,792 4416240,566 812,010,528 110162,152,640 1130,000 52,387,776 24300,000 236,992,320 1113,000 62,366,400
Puerto Rico22522,439 324,305,280 00000000000022522,439 324,305,280 000000000000
Rhode Island3815,478 186,849,734 000011072,095,558 0000000013052,387,776 00001415,478 62,366,400
South Carolina452,851 502,174,253 0000230144,191,117 112,851 183,357,216 00000000110174,625,920 0000
South Dakota2210,200 301,853,376 00000000110183,357,216 000000001110,200 118,496,160 0000
Tennessee7113450,321 975,535,229 11422,531 292,498,416 21083,634 144,191,117 11656183,357,216 000000003323,500 355,488,480 0000
Texas337823,498,501 4,513,082,170 5654445,094 1,444,405,824 91041,852,788 648,860,026 59717,319 908,054,784 2212,689 324,305,280 1140,000 52,387,776 88366,944 947,969,280 3463,667 187,099,200
Utah312336,875 417,605,414 0000118,059 72,095,558 118,816 183,357,216 110320,000 162,152,640 000000000000
Vermont34159,381 661,083,840 1659,381 124,732,800 0000160374,198,400 1290162,152,640 000000000000
Virginia66110,344 867,890,822 0000112,000 72,095,558 4495,107 733,428,864 0000000000001113,237 62,366,400
Washington10611,203,360 1,436,173,459 0000399,858 216,286,675 439696,000 733,428,864 313497,502 486,457,920 000000000000
West Virginia383,912 594,351,792 113,912 292,498,416 0000160183,357,216 00000000110118,496,160 0000
Wisconsin58072,434,918 567,284,774 000011952,413,553 72,095,558 000026100324,305,280 113,731 52,387,776 1117,634 118,496,160 0000
Wyoming290199,572,480 18037,419,840 00000000110162,152,640 000000000000
Totals:4246,83534,968,85557,407,772,269401,8434,933,60111,699,624,8081082,30219,755,95077868816051031,5864,798,96318,885,793,248599223,010,5469,404,853,1202974481,0561,466,857,72851551,619,8246,043,304,1603453368,9152,120,457,600

How does 2021 compare to previous years?

Ransomware attacks started to take hold in the medical sector in 2020. With just 59 attacks reported in 2019 but 103 reported in 2020, this was a 75 percent year-on-year increase. These figures continued to rise into 2021, increasing from 103 to 108.

But what is perhaps most striking (and concerning) is the astronomical rise in patient records that are impacted as a result of these attacks. From 2020 to 2021, the number of patient records impacted in these attacks rose by 312 percent (from 4.8 million to 19.8 million impacted records). Holding such important data to ransom may increase their chances of receiving payments. And it also coincides with the rise in double-dip attacks whereby hackers encrypt systems and steal data.

  • Number of attacks:
    • 2022 – 40
    • 2021 – 108
    • 2020 – 103
    • 2019 – 59
    • 2018 – 29
    • 2017 – 51
    • 2016 – 34
  • Number of patient records impacted:
    • 2022 – 4,933,601
    • 2021 – 19,755,950
    • 2020 – 4,798,963
    • 2019 – 3,010,546
    • 2018 – 481,056
    • 2017 – 1,619,824
    • 2016 – 368,915
  • Average downtime:
    • 2022 – 23.45 days
    • 2021 – 5.78 days
    • 2020 – 14.7 days
    • 2019 – 13 days
    • 2018 – 4.2 days
    • 2017 – 9.5 days
    • 2016 – 5 days
  • Downtime caused (known cases):
    • 2022 – 164 days (7 cases)
    • 2021 – 63.6 days (11 cases)
    • 2020 – 220.5 days (15 cases)
    • 2019 – 65 days (5 cases)
    • 2018 – No known amounts
    • 2017 – 19 days (2 cases)
    • 2016 – 5 days (1 case)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2022 – 938 days
    • 2021 – 624 days
    • 2020 – 1,514 days
    • 2019 – 754 days
    • 2018 – 118 days
    • 2017 – 485 days
    • 2016 – 170 days
  • Estimated cost of downtime:
    • 2022 – $11.7bn
    • 2021 – $7.8bn
    • 2020 – $18.9bn
    • 2019 – $9.4bn
    • 2018 – $1.5bn
    • 2017 – $6bn
    • 2016 – $2.1bn

How is 2022 looking for ransomware attacks on medical organizations?

As we can see from the above, ransomware attacks across medical organizations have been low throughout the first nine months of this year. But with many attacks often only being revealed after they’ve happened, these figures may rise over the coming months.

Downtime figures have also risen dramatically for 2022 (so far). This is due to two entities suffering major outages–Oklahoma City Indian Clinic still hadn’t recovered from its attack after two months and Taylor Regional Hospital suffered a 10-week outage. However, as more reports come through (and more information about the ransomware attacks), these downtime estimates may change. But what’s clear from these two attacks, in particular, is that ransomware remains a huge and concerning threat for medical organizations across the US, having the potential to cripple key systems and cause widespread disruptions.

Furthermore, the number of impacted patient records remains high (especially as many breaches post-attack may still be reported), highlighting the previously-mentioned “double-dip” trend where hackers encrypt systems and steal data.

2022 has, so far, been a quieter year across the board when it comes to publicly-confirmed ransomware attacks, as our map of US ransomware attacks (updated daily) shows. The same is also true worldwide. However, it is often only when organizations are shut down or data is breached that ransomware attacks are confirmed by the organization involved.

Ransomware attacks on healthcare-focused businesses

While we haven’t included businesses in our healthcare ransomware figures, it is worth noting that many more patient records and medical organizations suffer as a result of ransomware attacks on healthcare-focused businesses, e.g. pharmaceutical companies and IT providers.

According to our findings, another 53 ransomware attacks may have affected healthcare organizations across the US since 2016 with a further 11.2 million patient records impacted. You can see a full list of these entities below.

Some of the biggest attacks include:

  • CaptureRx (NEC Networks) – 2.42 million records affected: In early 2021, CaptureRx, an IT provider for healthcare organizations, suffered a ransomware attack. Patient data was stolen prior to the attack and the business agreed to a $4.75 million settlement earlier this year.
  • Eye Care Leaders – 2.7 million records affected: The number of affected records for Eye Care Leaders is, at the time of writing, constantly growing. After a ransomware attack in December 2021, numerous clinics and healthcare organizations are coming forward with data breach reports due to the attack. The figure hit 2.2 million in June 2022, but a recent report from Wolfe Clinic has added a further 542,776 patient records to the tally.
  • Magellan – 1.7 million records affected: This huge attack on health insurance company, Magellan, in 2020 saw 1.7 million records affected.

What this doesn’t include, however, is ransomware attacks on other third parties that may also feature healthcare data. A prime example of this is the 2020 attack on cloud computing software provider, Blackbaud, which was known to have affected a huge number of medical entities.

Our research found that 100 medical organizations were affected with 12,328,221 patients potentially impacted as a result of the breach.

By state, New York had the highest number of attacks with 15 in total. This was followed by Pennsylvania with 7 attacks and Massachusetts, Minnesota, Connecticut, and Virginia with 5 attacks each.

As for records affected by state, Michigan recorded over 3.3 million patient records potentially impacted, followed by Virginia with 1.12 million records and New York, with 1.11 records affected. These three states were the only ones to exceed 1 million records affected.

When you compare the number of records to the population size of each state, Maine recorded that nearly 50 percent of its population was affected by the breach (49.24%), followed by Michigan (44.78%), Delaware (37.83%), and Arizona (28.75%).

Blackbaud reported $10.4 million of expenses related to the ransomware attack and was estimated to have had a further $9.4 million in insurance recoveries.

The true cost of ransomware on healthcare organizations and their patients

What the above demonstrates is that the publicly-disclosed figures and details surrounding ransomware attacks on US healthcare organizations only scratch the surface.

As we have seen, it is difficult to get a full picture of how costly ransomware attacks are on US health providers due to the lack of information released about them. We estimate ransomware attacks have cost healthcare organizations in the US over $57 billion over the last six years – at least. With attacks not being publicized if they affect under 500 patients and ransom amounts being largely undeclared, these figures are likely to be much higher.

What’s in store for the future?

With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.

Methodology

Our research found 424 ransomware attacks in total affecting 6,835 medical organizations. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the healthcare entities where no downtime figures were available. For 2018, where no downtime amounts were available, we used Coveware’s data. Then, using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much hospital/clinic closures and severe disruptions may have cost.

We have only included ransomware attacks that have specifically targeted a medical facility that offers patient services. Attacks on healthcare-based businesses have been logged separately but aren’t included in downtime figures as patient services aren’t likely to have been impacted, only patient records.

Puerto Rico was included in our data but is not featured on any maps.

Data researcher: Charlotte Bond

Sources

https://healthitsecurity.com/topic/latest-health-data-breaches

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://www.census.gov

https://www.coveware.com/ransomware-blog