Since 2018, ransomware attacks on healthcare organizations have cost the world economy $92bn in downtime alone

Since 2018, there have been 500 publicly-confirmed ransomware attacks on healthcare organizations around the world. These have crippled nearly 13,000 separate facilities and have impacted almost 49 million patient records.

In total, we estimate the cost of these attacks exceeds US$92 billion in downtime alone.

Ransomware attacks have the potential to cause widespread disruption to any organization. Not only can they encrypt key systems, they can put personal data at risk of theft and exploitation. Place this scenario in a healthcare environment, and the stakes are arguably much higher. Critical systems and patient data may become inaccessible, causing severe–and perhaps even deadly–delays. For example, a lawsuit in Alabama, due for trial this month, suggests a ransomware attack on a hospital led to a baby’s death in 2019.

Below, we explore the extent of ransomware attacks across healthcare organizations around the world. Using data from our worldwide ransomware tracker, our team explored the growing threat of ransomware in the healthcare sector and the true cost of these attacks. However, as we only include publicly-confirmed attacks, our figures likely only scratch the surface.

Note that just because a country may be denoted as having a higher number of attacks than others, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings

From the beginning of 2018 to October 2022, our research found:

  • 500 individual ransomware attacks on healthcare organizations. 2021 was the biggest year for attacks with 166 in total
  • 12,961 separate hospitals/clinics/organizations were potentially affected
  • 48,847,107 individual patient records were impacted in these attacks–at least. Just less than half of these (20 million) were impacted in 2021
  • Ransom demands varied from $900 to $20 million
  • We estimate that hackers have demanded over $1.2 billion in ransoms
  • We estimate that nearly $44 million has been paid to hackers in ransom demands
  • Downtime varied from a couple of hours of disruption to seven months of systems not being at full capacity
  • The average downtime from attacks increased dramatically in 2021 and 2022 with 19.5 and 16 days lost on average, respectively
  • The overall cost of downtime is estimated at $92bn
  • Conti, Pysa, Maze, Hive, and Vice Society are the most dominant ransomware strains with the first three dominating in 2020/21 but the latter two taking over in 2021/22

Ransomware attacks on healthcare organizations by month and year

As we’ve mentioned above, 2021 was the biggest year for ransomware attacks on healthcare organizations, accounting for just over 33 percent (166) of all the attacks since 2018. 2020 was also a big year, with 137 attacks noted in total.

Both of these years coincide with the COVID-19 pandemic. With healthcare organizations stretched and under pressure, hackers found ways to exploit weak points, such as tired staff members failing to spot phishing emails containing ransomware.

2022 has seen a dip in healthcare ransomware attacks with 83 noted up until the end of October. While lower, we would expect this figure to rise in the coming months as some attacks are reported months after they have taken place (e.g. when data is published by the hackers or breach notifications are issued to affected patients).

  • Number of attacks:
    • 2022 (to October) – 83
    • 2021 – 166
    • 2020 – 137
    • 2019 – 78
    • 2018 – 36
  • Number of patient records impacted:
    • 2022 (to October) – 5,351,462
    • 2021 – 20,008,774
    • 2020 – 4,889,336
    • 2019 – 18,027,346
    • 2018 – 570,189
  • Average downtime:
    • 2022 (to October) – 16.1 days
    • 2021 – 19.5 days
    • 2020 – 12.3 days
    • 2019 – 13.3 days
    • 2018 – 2.6 days
  • Downtime caused (known cases):
    • 2022 (to October) – 514 days (32 cases)
    • 2021 – 974 days (50 cases)
    • 2020 – 394 days (32 cases)
    • 2019 – 279 days (21 cases)
    • 2018 – 13 days (5 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2022 (to October) – 1,334 days
    • 2021 – 3,232 days
    • 2020 – 1,685 days
    • 2019 – 1,037 days
    • 2018 – 94 days
  • Estimated cost of downtime:
    • 2022 (to October) – $16.6bn
    • 2021 – $40.3bn
    • 2020 – $21bn
    • 2019 – $12.9bn
    • 2018 – $1.17bn

The true cost of ransomware attacks on healthcare organizations

Ransom demands can vary considerably with our figures finding ransoms as low as $900 (disclosed by the Centre Hospitalier de la Tour Blanche à Issoudun in France in its 2019 attack) and as high as $20 million (revealed by Ireland’s Health Service Executive in its 2021 attack). Understandably, many organizations don’t reveal the amounts demanded–especially when they’ve paid the hackers.

We found ransom figures in 40 cases. As well as the HSE one mentioned above, some other large figures were disclosed by:

  • Hillel Yaffe Medical Center, Israel – $10 million: In October 2021, hackers demanded $10 million from Israel’s Hillel Yaffe Medical Center. The center chose not to pay but recovery efforts took around one month.
  • Le Centre Hospitalier Sud Francilien, France – $10 million: The CHSF in France was subject to a $10 million ransom demand in August 2022. The LockBit hackers later reduced this to $1 million. It hasn’t been paid at the time of writing. Services continued to be disrupted after three weeks with full restoration expected in November.
  • UF Health Central Florida, US – $5 million: While there has been no confirmation as to whether this ransom was paid, a data breach report was filed for 700,981 patients, suggesting it perhaps didn’t give in to the hackers’ demands.

Based on the figures we do have available, we know:

  • Average ransom demand:
    • 2022 (to October) – $1,887,058
    • 2021 – $5,792,857
    • 2020 – $690,624
    • 2019 – $386,067
    • 2018 – $19,400
  • Ransom demanded (known cases):
    • 2022 (to October) – $18.87 million (10 cases)
    • 2021 – $40.55 million (7 cases)
    • 2020 – $4.14 million (6 cases)
    • 2019 – $4.63 million (12 cases)
    • 2018 – $97,000 (5 cases)
  • % of ransom demands that result in a payment
    • 2022 (to October) – 13% (payment confirmed in 2 out of 16 cases)
    • 2021 – 9% (payment confirmed in 3 out of 35 cases)
    • 2020 – 26% (payment confirmed in 10 out of 38 cases)
    • 2019 – 30% (payment confirmed in 12 out of 40 cases)
    • 2018 – 36% (payment confirmed in 5 out of 14 cases)

Using these figures, we’re able to estimate:

  • Estimated ransom demanded:
    • 2022 (to October) – $156.6 million
    • 2021 – $961.6 million
    • 2020 – $94.6 million
    • 2019 – $30.1 million
    • 2018 – $698,400
  • Estimated ransom paid:
    • 2022 (to October) – $21.4 million
    • 2021 – no confirmed paid ransom amounts available
    • 2020 – $19.3 million
    • 2019 – $2.7 million
    • 2018 – $385,714

The above shows us how ransom demands have skyrocketed in recent years. There also appear to be fewer confirmed ransom payments. However, as the awareness around ransomware has grown, companies are likely keeping schtum on what the ransom demand was and whether or not they’ve paid it. Many believe that admitting to paying ransoms leaves them open to further attacks.

This is reflected in the fact that no paid ransom amounts were revealed in 2021 and only one has been revealed in 2022: just over $2 million was paid by Colosseum Dental after hackers wreaked havoc with the systems across over 130 branches across Luxembourg, Belgium, and the Netherlands.

Adding in downtime

While calculating the cost of ransomware attacks through ransom payments is difficult, there is one aspect from these attacks that is easier to gauge–downtime.

In many cases, ransomware attacks render systems inaccessible for hours, days, weeks, and even months at a time. And in some of the worst cases, systems are completely unrecoverable.

As we have seen above, we were able to find downtime figures for 140 entities. The number of days lost to this downtime was 2,174. Using the averages from these attacks, we were then able to estimate the downtime for all of the known ransomware attacks, calculating that a total of 7,381 days have been lost to downtime on healthcare organizations around the world. This equates to more than 20 years.

In a 2017 study, the average cost of downtime per minute across 20 different industries was estimated to be $8,662. This would therefore mean that healthcare organizations have suffered costs of over $92 billion as a result of downtime alone.

Even though these figures may seem astronomical, they do reflect some of the figures disclosed by healthcare organizations after they’ve been attacked.

For example, Ireland’s Health Service Executive just revealed that it’s spending $2.1 billion to upgrade its IT systems following the attack.  Elsewhere, the 2021 attack on Scripps Health in the US cost over $112 million.

Ransomware attacks on healthcare organizations remain a prominent threat

Even though 2022 has seen a dip in the number of ransomware attacks on healthcare organizations, this doesn’t necessarily mean that the threat is any less severe. We’re seeing growing ransom sums and downtime figures. Hackers are perhaps becoming more targeted in their approach, ensuring widespread disruption is achieved so as to increase their chances of receiving the ransom.

Furthermore, there are increasing “double-extortion” attacks in which systems are encrypted and data is stolen. Even if an entity is able to restore its systems quickly from back-ups, the threat of private patient data being published online may still be enough for the company to negotiate with the hackers. And even if a company refuses to pay the ransom demand, the sale of this data can lead to a hefty profit for the hackers.

Another reason for the lower ransomware attack figures (something we’re seeing across all industries in both the US and worldwide), is that organizations are becoming less “open” about being attacked. As people become more aware of ransomware attacks, entities appear to have become less forthcoming in their reporting of such events. This is perhaps due to the stigma surrounding ransomware and also the concern it leaves them open to future attacks.

Methodology

Using the database from our ransomware attack map, our research found 500 healthcare ransomware attacks in total. From this data we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days was calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).

Each breach was categorized into one of 17 medical organization types, which are defined as follows:

  • Academic hospital
  • Ambulance service
  • Clinic: a clinic offering all-around healthcare services
  • Clinic network: a system of clinics operating from more than one location to offer all-around healthcare services
  • Dental: a practice offering dental healthcare services
  • Government health: a general government department/entity that’s involved in a health-related data breach, e.g. the department of human services or a county government
  • Home/senior care: this includes organizations that may provide social services in the local community
  • Hospital
  • Hospital network: a system of hospitals operating from more than one location to offer all-around healthcare services
  • Laboratory: a health-based laboratory business
  • Mental health: e.g. services offering support for addiction
  • Optometry: a practice offering optical healthcare service
  • Pharmacy: an organization/network specializing in pharmaceuticals
  • Rehabilitation services
  • Research
  • Specialist clinic: a clinic that operates under a certain area of healthcare, e.g. physicians or rehabilitation centers
  • Specialist clinic network: as above but operating from multiple clinics/locations

Data researchers: Charlotte Bond, Rebecca Moody