Ransomware Attacks in Healthcare Double from 2016 to 2021

Ransomware Attacks in Healthcare Double from 2016 to 2021


A study published in the JAMA Health Forum revealed that ransomware attacks have dramatically increased since 2016. Corresponding author was Hannah T. Neprash, PhD, Division of Health Policy and Management, School of Public Health, University of Minnesota, Minneapolis, MN. She and her research team created the Tracking Healthcare Ransomware Events and Traits (THREAT) database. The THREAT database combines proprietary data provided by HackNotice and data from the US Department of Health and Human Services Office of Civil Rights (HHS OCR) Data Breach Portal.

Results Show Disturbing Trend

The study uncovered 374 ransomware attacks on healthcare organizations during the study period (2016-2021) — exposing the Protected Health Information (PHI) of almost 42 million people. During the study period, they discovered these critical facts:

  • The average number of ransomware attacks more than doubled, from 41 annually to 93 annually in the 5 study years.
  • PHI exposure increased by more than 11-fold for the same period, rising from 1.3 million in 2016 to over 16.5 million in 2021.
  • 84 ransomware attacks did not appear in the HHS OCR database, resulting in no PHI exposure data report.
  • 203 of the 290 ransomware attacks reported to HHS were reported late — out of the 60-day mandated reporting window.
  • Only 20% reported that they could restore their data from backups.
  • 59 (15.8%) ransomware attacks made some or all of the appropriated PHI public, usually through postings on dark web forums where stolen health data is offered for sale.
  • 198 attacks (52.9%) of attacks involved multiple facilities.
  • 216 ransomware occurrences were clinics, followed by 82 hospitals, 56 ambulatory surgery centers, 51 mental/behavioral health facilities, 46 dental practices, and 12 post-acute care entities. The remaining 80 attacks occurred in a wide variety of healthcare delivery organizations.
  • 166 (44%) of targeted facilities showed evidence of care delivery disruptions, 32 (8.6%) experienced disruptions of over two weeks, ranging from electronic system downtime (41.7%) to 38 (10.2%) cancellations/delays of scheduled care to 16 (4.3%) ambulance diversions.

HHS Reveals New Ransomware Threat

HSS recently issued a warning to the healthcare sector from a new human-operated ransomware named Royal. Royal’s first appearance was in September 2022. Once an entity’s system is infected, the perpetrators demand from $250,000 to $2 million in ransom for their data to be returned. A private group seems to be behind Royal with financial motivation as their goal.

They appear to have experience with other ransomware groups because they use previously-utilized activities, including Cobalt Strike, harvesting credentials, and encrypting files. The ransom note is contained in a README.TXT that links to a victim’s private negotiation page.

Royal is a new ransomware, so there are still many unknowns about the malware.

HHS cautions healthcare entities that data breaches are costly, with an average of $10 million. Healthcare delivery entities are at particular risk because of the vast sensitive data contained in their systems.