US Hospital Ransomware

Since 2016, ransomware attacks have become a huge cause for concern for hospitals all over the world. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists).

The result?

Severe delays and costs to healthcare organizations, patients left untreated, and appointments canceled.

So what is the true cost of ransomware attacks on US healthcare organizations?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting healthcare organizations since 2016. However, breaches are only published by the U.S. Department of Health Services if they affect over 500 people. While those lower than 500 also need reporting, they often go under the radar as they aren’t publicly disclosed. The public might only find out if the healthcare organization undergoes severe disruption and makes news. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different healthcare resources—specialist IT news, data breach reports, and the Health Services reporting tool—to collate as much data as possible on ransomware attacks on US healthcare providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to healthcare organizations. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

  • 172 individual ransomware attacks on healthcare organizations
  • 1,446 hospitals, clinics, and organizations affected
  • 74 percent of organizations affected were hospitals or clinics, the remaining were IT providers (5%), elderly care providers (7%), dental (5%) or optometry practices (6%), plastic surgeons (2%), medical testing (2%), health insurance (1%), government health (1%), and medical supplies (1%)
  • 6,649,713 patients affected
  • Ransomware amounts vary from $1,600 to $14,000,000
  • Downtime caused varies from hours to weeks and even months
  • Hackers have demanded ransoms totaling more than $16.48 million since 2016
  • Hackers have received at least $640,000 since 2016
  • The overall cost of these attacks is estimated at $157 million
StateNumber of AttacksNumber of Records AffectedEstimated Cost of Downtime (Low Estimate)Estimated Cost of Downtime (High Estimate)
Alabama4402,322$3,672,000.00$5,600,000.00
Alaska144,600$918,000.00$1,400,000.00
Arizona311,828$2,754,000.00$4,200,000.00
Arkansas1128,000$918,000.00$1,400,000.00
California25753,109$22,950,000.00$35,000,000.00
Colorado637,297$5,508,000.00$8,400,000.00
Connecticut248,726$1,836,000.00$2,800,000.00
Delaware396,076$2,754,000.00$4,200,000.00
District of Columbia1N/A$918,000.00$1,400,000.00
Florida443,469$3,672,000.00$5,600,000.00
Georgia4193,995$3,672,000.00$5,600,000.00
Hawaii240,800$1,836,000.00$2,800,000.00
Idaho1N/A$918,000.00$1,400,000.00
Illinois327,839$2,754,000.00$4,200,000.00
Indiana7161,400$6,426,000.00$9,800,000.00
Iowa351,617$2,754,000.00$4,200,000.00
Kansas386,087$2,754,000.00$4,200,000.00
Kentucky545,062$4,590,000.00$7,000,000.00
Louisiana3136,943$2,754,000.00$4,200,000.00
Maryland231,120$1,836,000.00$2,800,000.00
Massachusetts4223,123$3,672,000.00$5,600,000.00
Michigan51,098,263$4,590,000.00$7,000,000.00
Minnesota5117,876$4,590,000.00$7,000,000.00
Mississippi158,000$918,000.00$1,400,000.00
Missouri6305,596$5,508,000.00$8,400,000.00
Nebraska458,341$3,672,000.00$5,600,000.00
Nevada13,898$918,000.00$1,400,000.00
New Hampshire12,081$918,000.00$1,400,000.00
New Jersey684,327$5,508,000.00$8,400,000.00
New York566,312$4,590,000.00$7,000,000.00
North Carolina2925$1,836,000.00$2,800,000.00
Ohio732,660$6,426,000.00$9,800,000.00
Oklahoma16,000$918,000.00$1,400,000.00
Oregon22,000$1,836,000.00$2,800,000.00
Pennsylvania5343,000$4,590,000.00$7,000,000.00
Puerto Rico2522,439$1,836,000.00$2,800,000.00
Rhode Island215,478$1,836,000.00$2,800,000.00
South Carolina1N/A$918,000.00$1,400,000.00
South Dakota110,200$918,000.00$1,400,000.00
Tennessee323,500$2,754,000.00$4,200,000.00
Texas14483,300$12,852,000.00$19,600,000.00
Utah1320,000$918,000.00$1,400,000.00
Virginia113,237$918,000.00$1,400,000.00
Washington3497,502$2,754,000.00$4,200,000.00
West Virginia1N/A$918,000.00$1,400,000.00
Wisconsin421,365$3,672,000.00$5,600,000.00
Wyoming1N/A$918,000.00$1,400,000.00

Which state had the most ransomware attacks on healthcare providers?

California had the most ransomware attacks by far, accounting for 14.5 percent of the attacks from 2016. But with such a large concentration of healthcare providers within this state, perhaps this isn’t too much of a surprise.

Texas had the second-highest number with 14 attacks in total. Maine, Montana, New Mexico, North Dakota, and Vermont aren’t recorded as having any.

If we compare this to the number of patient records that were potentially involved in the attacks, this picture changes slightly:

Michigan is the worst state for the number of patient records at risk. Almost 1.1 million people were affected in this state by two ransomware attacks. However, these two attacks relate to Airway Oxygen, Inc (a medical supply company) and Wolverine Solutions Group (a medical billing company) based in the state. This means some of the affected patients live in different states. [There are 7 attacks where this is the case — a list of which can be seen in the methodology section].

In California, 753,000 patient records were exposed and a large portion of these come from hospital networks operating in the area. Two of the main culprits were Pacific Alliance Medical Center where 266,123 patients’ records were affected in June 2017, and Centerlake Medical Group where 197,661 patients’ records were affected in February 2019.

Puerto Rico (not shown on the map) also had a high number with over 522,000 records involved in attacks there. This came from two attacks: one on the Bayamón Medical Center in May 2019 (422,496 records affected) and the Puerto Rico Women and Children’s Hospital, also in May 2019 (99,943 records affected).

The above map also shows us the number of people affected by ransomware attacks as a percentage of state population. Aside from Michigan (which, as we saw above, affects more than one state), the worst states are Puerto Rico (not shown on the map) with 16.36 percent of people in this state being affected by ransomware attacks, Delaware with 9.87 percent, and Utah with 9.98 percent. 76,873 patients were affected by two attacks in Delaware, one on Delaware Guidance Services for Children and Youth (50,000) in December 2018 and one on Brandywine Pediatrics (26,783) in October 2016. 320,000 patients were affected by an attack on Premier Family Medical (which operates in 10 locations across Utah country) in July 2019.

Which year saw the most ransomware attacks?

Ransomware started trending toward healthcare companies in 2016. But over the last four years we can see they’ve risen and fallen:

In 2016, there were 36 ransomware attacks on US healthcare organizations, followed by 53 in 2017. In 2018, the figure dipped again to 31, making this the lowest year for attacks overall. Last year, the figures rose again to 50.

These waves of attacks may relate to different types of ransomware being developed. However, with many organizations failing to disclose the type of ransomware used in the attack, it is difficult to know if this is the case.

From those that did reveal the type of ransomware used, we do know that Locky was particularly popular throughout 2016. SamSam was also popular from 2016 to 2018.

Nevertheless, this steep rise of attacks in 2019 is in complete contrast to the trend we saw in our similar study of UK NHS trusts. While we can’t directly compare the two due to the different systems in place for UK and US hospitals (i.e. public vs. privatized), it would appear that the UK has implemented effective measures to help keep ransomware attacks to a minimum. This is likely due to the NHS’s increased spending on cybersecurity measures which includes improving systems, practices, and improved staff training.

In the US, however, cybersecurity is often decided by each individual organization or the corporation behind them. And as Moody’s Investors Service recently stated, sophisticated cyberattacks will continue to pose a threat to hospitals’ revenues and operations, putting the safety of patients at risk. The latter will, in turn, put even more pressure on hospitals due to the potential lawsuits that may follow.

How much is ransomware costing US healthcare organizations?

As mentioned previously, ransom demands can vary dramatically from $1,600 to $14,000,000. Plus, only a handful of providers publicly release the figures involved (we could only find figures for 16 out of the 172 attacks).

From these 16 attacks, $16.48 million was demanded by hackers. Wisconsin accounts for the vast majority of this due to the hefty ransom demand of $14 million on Wisconsin-based IT provider, Virtual Care Provider, Inc. The attack affected 110 nursing homes across the US but the ransom wasn’t paid.

In fact, out of all the ransoms detailed above, we only know that $641,649 was definitely paid out to hackers. Only 21 organizations that suffered ransomware attacks revealed that they had paid the ransom (but only 7 revealed how much they’d paid and a further few declared they’d paid a “small amount.”). 66 said they hadn’t. This leaves 85 unclear cases in which the victim did not disclose whether or not they paid the ransom.

Adding in downtime

The above figures account solely for the ransom demands made by hackers and the hospitals that choose to pay it to regain access to their systems.

The majority of hospitals attacked with ransomware will also suffer some downtime. Again, only a handful of hospitals actually discuss how much downtime their attack caused and the consequent costs involved. For some, it’s a matter of hours before they’re up and running again, while for others, affected clinics/departments remain closed for weeks on end.

For a few, the cost is even greater. At least two healthcare providers are known to have shut their doors permanently due to ransomware attacks. With the cost of restoring their systems being far too great, they have been left with no other option but to close their businesses.

Estimates do indicate, however, that the average downtime caused by a ransomware attack is 16.2 days. However, this is often for large organizations and would be different for the smaller clinics and practices involved in our study.

But how much could this have cost healthcare providers?

In 2016, it was estimated that downtime in the healthcare industry could cost, on average, $918,000 in total per organization. This takes into account business disruption, lost revenue, end-user and IT productivity, detection, recovery, equipment, and third-parties. If this cost remained the same over the last 3 years (unlikely, due to how much downtime and its associated costs have increased over time), this would put the cost of downtime to all of the healthcare providers attacked in the US (172) at $157.9 million. A more recent report suggests healthcare cyberattacks cost an average of $1.4 million to recover from. This would increase the cost of downtime to $240.8 million.

These figures, while astronomical, are in line (and are even dramatically less in some cases) than some of the costs organizations have disclosed:

  • Park DuValle Community Health Center revealed how its ransomware attack in June 2019 cost $1 million. This included the $70,000 ransom (6 BTC) the center had to pay after being unable to access data for two months.
  • NEO Urology in June 2019 not only paid $75,000 in ransom, but also suffered revenue losses of $30,000 to $50,000 per day.
  • Erie County Medical Center didn’t pay the ransom of $30,000 to have its patients’ data released back to them but did spend almost $10 million recovering from the attack of April 2017. Officials also anticipated that $250,000 to $400,000 extra would be required each month to increase employee awareness and improve technology defenses.

As well as the monetary cost of downtime to healthcare organizations, there’s also the even more worrying cost of patients’ health and even lives. While it would be hard to ascertain the overall impact on patients, one study does suggest that data breaches (as a whole) increase the 30-day mortality rate for heart attacks, equating to 36 more deaths per 10,000 heart attacks each year.

The true cost of ransomware to US health providers

As we have seen, it is difficult to get a full picture of how costly ransomware attacks are on US health providers due to the lack of information released about them. We estimate ransomware attacks have cost healthcare organizations in the US around $160 million over the last four years – at least. With attacks not being publicized if they affect under 500 patients and ransom amounts being largely undeclared, these figures are likely to be much higher.

What’s in store for the future?

With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.

Methodology

Our research found 172 ransomware attacks in total affecting 1,446 hospitals, clinics, and other health providers. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.

Where possible, each attack was assigned to a state. In some cases, the state assigned may be where the head office of the company is located. This means some of the patients and/or clinics involved in the attack may have been located in other states. This includes the Dental Digital Records attack in August 2019, the Virtual Care Provider, Inc (VCPI) attack in November 2019, the Greenway Health attack in April 2017, the Complete Technology Solutions attack in November 2019, the Wolverine Solutions Group (WSG) attack in September 2018, the Medstar Health attack of March 2016, the Airway Oxygen, Inc attack of April 2017, and the American Baptist Homes of the Midwest attack in March 2019.

See also: The Best Ransomware Protection Tools

Sources

https://healthitsecurity.com/topic/latest-health-data-breaches

https://www.idtheftcenter.org/data-breaches/

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://www.census.gov