Ransomware attacks spike, cost healthcare orgs millions

February 13, 2020

A new report details the scope of the ransomware problem since 2016.

There have been 172 ransomware attacks on healthcare organizations since 2016 costing the U.S. health system more than $157 million, according to a report from comparitech.com.

These attacks affected 1,446 hospitals, clinics, and organizations and more than 6.6 million patient records. The ransom sought from these attacks varied from $1,600 to $14 million dollars, and hackers netted at least $640,000 since 2016, according to the report.

Ransomware is a type of malware that locks healthcare organizations and practices out of patient records and financial systems, according to Rick Clark, the corporate security director at Ontario Systems.

California was the most common target of these attacks with a total of 25, with Texas coming in second with 14. California’s attacks caused downtime which cost between $22.9 million and $35 million dollars alone, according to the report.

Maine, Montana, New Mexico, North Dakota, and Vermont did not record any breaches. Michigan was only attacked five times, but had more than 1 million records affected by the breaches, but because most of those were involved in breaches at a medical supply company and a medical billing company some of those affected by the breaches live out of state, the report says.

California saw 753,000 patient records exposed mainly from hospital networks, while the territory of Puerto Rico saw 522,000 records affected by breaches which impacted 16.36 percent of the island’s population, the report says.

In 2017 there were 53 attacks, making it the most affected year studied for the report, with only three more attacks than 2019. The lowest number of attacks during the studied period came in 2018 with 31 breaches, according to the report.

The report notes that the number of attacks stands in contrast with a similar study of National Health Service trusts in the United Kingdom.  While comparisons can’t be direct due to the private nature of the American system and the public nature of the UK’s system, the author drew a connection between the UK system’s safety and increased spending on cybersecurity measures.

While the numbers are alarming, it is doubtful that this is a full accounting of the breaches perpetrated during this time as the U.S. Department of Health Services only publishes breaches if they affect more than 500 people and paid ransom demands are rarely reported, the report says.

“Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem,” the report says.

The report warns that without increased safety measures in place, hackers may turn their attention from patient data and hospital systems to life-saving equipment and technology.