Report finds 539 confirmed attacks affecting 10,000 facilities
U.S. health care organizations have experienced 539 ransomware attacks since 2016 costing about $77.5 billion, according to a new study.
The study, from the online security firm Comparitech, shows that ransomware attacks on health care organizations grew steadily from 34 in 2016 to 56 in 2019. They more than doubled in the next two years to a high of 115 in 2021 before declining the following year to 84. Sixty-six attacks had been recorded through mid-October of this year
The number of patient records affected by ransomware attacks grew from 369,000 in 2016 to a high of just over 20 million in 2021. Through mid-October of 2023 about 7.3 million records had been affected.
Seven of the organizations studied in the report disclosed how much they lost because of ransomware attacks. The largest loss was for $160 million at Chicago-based CommonSpirit Health, an attack that also forced 400 of the system’s 700 care sites offline for three weeks. Among the others:
•Scripps Health in May 2021 reported a loss of $112.7 million
•Harvard Pilgrim Health Care (Point32Health), reported a loss of $102.7 million in March 2023,
•Universal Health Services reported a September 2020 loss of $67 million,
•Bio-Rad Laboratories, Inc., had a $20 million loss from an attack in December 2019
“While ransomware attacks in general are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic,” the report notes. “They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker or the ransomware is removed by IT specialists.”
The report finds that through mid-October of 2023 66 ransomware attacks had been launched on 1,568 medical institutions leading to more than 7.3 million breached patient records and causing an average of 18.7 days of downtime.
Other findings include:
• 52.2 million individual patient records were affected by ransomware attacks
• Ransomware amounts varied from $1,600 to $10 million
• On average medical organizations lost nearly 14 days to downtime across all years, from 2.6 in 2018 to 18.71 in 2023. In total, this accounted for 6,347 days of downtime
• Hackers demanded more than $39 million across 34 attacks and received payment in 31 out of 160 cases where the medical organizations disclosed whether they paid the ransom.
• The overall cost of these attacks is estimated at around $77.5 billion