In 2021, 108 individual ransomware attacks affected 2,302 medical organizations, which impacted 19.76 million patient records. We estimate that these attacks cost medical entities almost $7.8 billion in downtime alone.
Since 2016, ransomware attacks have been a well-known threat to medical organizations. We saw a massive influx of attacks from the pandemic onwards. While ransomware attacks, in general, are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists). Add a global pandemic into the mix and you’ve got an even bigger problem that leads to severe delays and costs to healthcare organizations, patients going untreated, and canceled appointments.
For example, Scripps Health, a California-based non-profit operator with 5 hospitals and 19 outpatient clinics, suffered a ransomware attack in May 2021. The overall cost of the attack exceeded $112 million. Four hospitals had to re-route stroke and heart attack patients, and two hospitals also lost access to their electronic medical record system and offsite servers.
So, what is the true cost of these ransomware attacks across the healthcare sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2022?
To find out, our team of researchers gathered information on all of the ransomware attacks affecting medical organizations since 2016. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the hospital/clinic has to acknowledge the breach due to disrupted systems or lost patient data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.
Our team sifted through several different healthcare resources— specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US healthcare providers. We then used all of the available data on downtime and ransom amounts to estimate a range for the likely cost of ransomware attacks on medical organizations. Due to the limitations of uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
Please note: in this update, we have separated healthcare-based organizations, such as hospitals, clinics, pharmacies, and care homes from businesses that cater solely to the healthcare industry, e.g. pharmaceutical companies and medical manufacturers, Therefore, the focus of this study is on companies that primarily offer a healthcare service and directly deal with patients and their data. As a result, some figures may differ from previous versions of this study.
Key findings
In 2021:
- 108 individual ransomware attacks on medical organizations–a slight increase from 2020 (103)
- 2,302 separate hospitals/clinics/organizations were potentially affected–a 45 percent increase from 2020 (1,586)
- 19,755,950 individual patient records were impacted–a 312 percent increase from 2020 (4,798,963)
- Ransomware amounts varied from $250,000 to $5 million
- Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
- On average, medical organizations lost nearly six days to downtime (5.78), which accounted for an estimated 624 total days of downtime
- Hackers demanded up to $7 million across just three attacks and received payment in 3 out of 19 cases where the medical organizations disclosed whether or not they paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have)
- The overall cost of these attacks is estimated at around $7.8 billion
- Pysa, Avaddon, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)
Which state had the most ransomware attacks on medical organizations in 2021?
As we can see from the above map, California had the most ransomware attacks (13), accounting for 12 percent of the attacks in 2021. But with such a large concentration of healthcare providers within this state, perhaps this isn’t too much of a surprise. Texas was a close second with nine reported healthcare ransomware attacks in 2021.
It’s a similar picture for the number of records affected, too. California saw the most records impacted (just over 4 million in total). The majority of these records stem from the hack on SmileBrands, Inc. This attack, which was carried out by DarkSide, affected 2.6 million patient records. While it is unknown what the ransom amount was and whether or not it was paid, the criminal group did publish around 700GB worth of data online.
Texas also has a high number of records affected (1.85 million across 9 attacks) but Wisconsin was the second-highest state for impacted patients with 2.4 million in total. As a lower-populated state, this is perhaps more of a surprise. All of these breached records come from one single attack, too. In May 2021, Forefront Dermatology, S.C. was hit by Cuba ransomware, and patient files were accessed. In July 2021, Forefront Dermatology began notifying 2.4 million people that their records may have been among those accessed by attackers. However, it’s important to note (as with all of these attacks) that patients may have been from outside the company’s head office location–Wisconsin.
How much did these ransomware attacks cost medical organizations in 2021?
Ransom demands varied dramatically from $250,000 to $5 million. Plus, only a handful of providers publicly release the figures involved (we could only find a ransom demand figure for three out of the 108 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these, as it may incentivize further attacks.
Below are a few attacks where ransom amounts were acknowledged:
- Allergy Partners suffered an attack whereby unknown hackers demanded $1.75 million in ransom. The medical practice claimed they did not pay the ransom, but did spend eight days restoring systems.
- Hackers demanded an extortionate ransom of $5 million from UF Health Central Florida. UF Health Central Florida refused to comment on whether the ransom was paid or not but a data breach report was filed for 700,981 patients.
- In October 2021, the threat actor ‘Groove’ demanded $250,000 from TriValley Primary Care. In an online chat, Groove demanded that the medical practice responded to its demands, however, there is no evidence that this occurred. It is unclear whether any ransom demand was paid but the Care’s website was unavailable for some time.
Adding in downtime
While it is difficult to ascertain just how much is lost in these attacks to paid ransom demands, there is a cost that affects the majority of attacked organizations–downtime.
As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.
According to the figures we did find for 11 of the attacks, medical entities suffered an average downtime of nearly 6 days (5.78) in 2021. Downtime relates to hospitals/clinics being shut and/or services being largely unavailable. Based on these figures, ransomware attacks may have caused 624 days (nearly 15,000 hours) of downtime.
So how much could this have cost medical providers?
A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to medical organizations in 2021 was around $7.8 billion. While high, this is less than half of 2020’s figure of $18.8 billion.
Even though 2021 saw a higher number of attacks, entities suffered far more downtime in 2020 (14.7 days, on average). This much higher downtime figure in 2020 may stem from the onset of the pandemic and the chaos surrounding it, including staff working from home, IT providers perhaps being less readily available, and an increased number of patients.
These figures, while astronomical, are in line with some of the costs organizations have disclosed:
- As mentioned above, Scripps Health reported that the total cost of their ransomware incident exceeded $112 million. This was the largest amount reported (by a facility reporting on total attack costs) from 2016 to the present day and stemmed primarily from loss of revenue.
- SmileDirectClub estimated that its April 2021 ransomware attack could cost the company up to $15 million. While it did have insurance, the impact of the attack on its business operations and financial results were detrimental to its earnings.
- Forefront Dermatology agreed to pay $3.7 million in September 2022 to resolve litigation from its 2021 attack, which affected 2.4 million patients.
Key findings from January 2016 to September 2022:
Our team has logged all of the ransomware attacks from January 2016 to September 2022. During this time:
- 424 separate individual ransomware attacks have been carried out on medical organizations
- 6,835 individual medical entities have been potentially impacted and nearly 35 million patient records affected
- Medical organizations have suffered an estimated 4,602 days of downtime due to ransomware attacks
- Ransom requests varied from $1,600 to $14 million
- Hackers have demanded an estimated $436.5 million in ransom
- Hackers have received at least $2.78 million in ransom payments with the average payment being $253,000
- We estimate that downtime has cost medical organizations $57.4 billion
How does 2021 compare to previous years?
Ransomware attacks started to take hold in the medical sector in 2020. With just 59 attacks reported in 2019 but 103 reported in 2020, this was a 75 percent year-on-year increase. These figures continued to rise into 2021, increasing from 103 to 108.
But what is perhaps most striking (and concerning) is the astronomical rise in patient records that are impacted as a result of these attacks. From 2020 to 2021, the number of patient records impacted in these attacks rose by 312 percent (from 4.8 million to 19.8 million impacted records). Holding such important data to ransom may increase their chances of receiving payments. And it also coincides with the rise in double-dip attacks whereby hackers encrypt systems and steal data.
- Number of attacks:
- 2022 – 40
- 2021 – 108
- 2020 – 103
- 2019 – 59
- 2018 – 29
- 2017 – 51
- 2016 – 34
- Number of patient records impacted:
- 2022 – 4,933,601
- 2021 – 19,755,950
- 2020 – 4,798,963
- 2019 – 3,010,546
- 2018 – 481,056
- 2017 – 1,619,824
- 2016 – 368,915
- Average downtime:
- 2022 – 23.45 days
- 2021 – 5.78 days
- 2020 – 14.7 days
- 2019 – 13 days
- 2018 – 4.2 days
- 2017 – 9.5 days
- 2016 – 5 days
- Downtime caused (known cases):
- 2022 – 164 days (7 cases)
- 2021 – 63.6 days (11 cases)
- 2020 – 220.5 days (15 cases)
- 2019 – 65 days (5 cases)
- 2018 – No known amounts
- 2017 – 19 days (2 cases)
- 2016 – 5 days (1 case)
- Estimated downtime caused (based on known cases and average in unknown):
- 2022 – 938 days
- 2021 – 624 days
- 2020 – 1,514 days
- 2019 – 754 days
- 2018 – 118 days
- 2017 – 485 days
- 2016 – 170 days
- Estimated cost of downtime:
- 2022 – $11.7bn
- 2021 – $7.8bn
- 2020 – $18.9bn
- 2019 – $9.4bn
- 2018 – $1.5bn
- 2017 – $6bn
- 2016 – $2.1bn
How is 2022 looking for ransomware attacks on medical organizations?
As we can see from the above, ransomware attacks across medical organizations have been low throughout the first nine months of this year. But with many attacks often only being revealed after they’ve happened, these figures may rise over the coming months.
2022 – 40
2021 – 108
2020 – 103
2019 – 59
2018 – 29
2017 – 51
2016 – 34
2022 – 4,933,601
2021 – 19,755,950
2020 – 4,798,963
2019 – 3,010,546
2018 – 481,056
2017 – 1,619,824
2016 – 368,915
2022 – 23.45 days
2021 – 5.78 days
2020 – 14.7 days
2019 – 13 days
2018 – 4.2 days
2017 – 9.5 days
2016 – 5 days
2022 – 164 days (7 cases)
2021 – 63.6 days (11 cases)
2020 – 220.5 days (15 cases)
2019 – 65 days (5 cases)
2018 – No known amounts
2017 – 19 days (2 cases)
2016 – 5 days (1 case)
2022 – 938 days
2021 – 624 days
2020 – 1,514 days
2019 – 754 days
2018 – 118 days
2017 – 485 days
2016 – 170 days
2022 – $11.7bn
2021 – $7.8bn
2020 – $18.9bn
2019 – $9.4bn
2018 – $1.5bn
2017 – $6bn
2016 – $2.1bn
Downtime figures have also risen dramatically for 2022 (so far). This is due to two entities suffering major outages–Oklahoma City Indian Clinic still hadn’t recovered from its attack after two months and Taylor Regional Hospital suffered a 10-week outage. However, as more reports come through (and more information about the ransomware attacks), these downtime estimates may change. But what’s clear from these two attacks, in particular, is that ransomware remains a huge and concerning threat for medical organizations across the US, having the potential to cripple key systems and cause widespread disruptions.
Furthermore, the number of impacted patient records remains high (especially as many breaches post-attack may still be reported), highlighting the previously-mentioned “double-dip” trend where hackers encrypt systems and steal data.
2022 has, so far, been a quieter year across the board when it comes to publicly-confirmed ransomware attacks, as our map of US ransomware attacks (updated daily) shows. The same is also true worldwide. However, it is often only when organizations are shut down or data is breached that ransomware attacks are confirmed by the organization involved.
Ransomware attacks on healthcare-focused businesses
While we haven’t included businesses in our healthcare ransomware figures, it is worth noting that many more patient records and medical organizations suffer as a result of ransomware attacks on healthcare-focused businesses, e.g. pharmaceutical companies and IT providers.
According to our findings, another 53 ransomware attacks may have affected healthcare organizations across the US since 2016 with a further 11.2 million patient records impacted. You can see a full list of these entities below.
Some of the biggest attacks include:
- CaptureRx (NEC Networks) – 2.42 million records affected: In early 2021, CaptureRx, an IT provider for healthcare organizations, suffered a ransomware attack. Patient data was stolen prior to the attack and the business agreed to a $4.75 million settlement earlier this year.
- Eye Care Leaders – 2.7 million records affected: The number of affected records for Eye Care Leaders is, at the time of writing, constantly growing. After a ransomware attack in December 2021, numerous clinics and healthcare organizations are coming forward with data breach reports due to the attack. The figure hit 2.2 million in June 2022, but a recent report from Wolfe Clinic has added a further 542,776 patient records to the tally.
- Magellan – 1.7 million records affected: This huge attack on health insurance company, Magellan, in 2020 saw 1.7 million records affected.
What this doesn’t include, however, is ransomware attacks on other third parties that may also feature healthcare data. A prime example of this is the 2020 attack on cloud computing software provider, Blackbaud, which was known to have affected a huge number of medical entities.
Our research found that 100 medical organizations were affected with 12,328,221 patients potentially impacted as a result of the breach.
By state, New York had the highest number of attacks with 15 in total. This was followed by Pennsylvania with 7 attacks and Massachusetts, Minnesota, Connecticut, and Virginia with 5 attacks each.
As for records affected by state, Michigan recorded over 3.3 million patient records potentially impacted, followed by Virginia with 1.12 million records and New York, with 1.11 records affected. These three states were the only ones to exceed 1 million records affected.
When you compare the number of records to the population size of each state, Maine recorded that nearly 50 percent of its population was affected by the breach (49.24%), followed by Michigan (44.78%), Delaware (37.83%), and Arizona (28.75%).
Blackbaud reported $10.4 million of expenses related to the ransomware attack and was estimated to have had a further $9.4 million in insurance recoveries.
The true cost of ransomware on healthcare organizations and their patients
What the above demonstrates is that the publicly-disclosed figures and details surrounding ransomware attacks on US healthcare organizations only scratch the surface.
As we have seen, it is difficult to get a full picture of how costly ransomware attacks are on US health providers due to the lack of information released about them. We estimate ransomware attacks have cost healthcare organizations in the US over $57 billion over the last six years – at least. With attacks not being publicized if they affect under 500 patients and ransom amounts being largely undeclared, these figures are likely to be much higher.
What’s in store for the future?
With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.
Methodology
Our research found 424 ransomware attacks in total affecting 6,835 medical organizations. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the healthcare entities where no downtime figures were available. For 2018, where no downtime amounts were available, we used Coveware’s data. Then, using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much hospital/clinic closures and severe disruptions may have cost.
We have only included ransomware attacks that have specifically targeted a medical facility that offers patient services. Attacks on healthcare-based businesses have been logged separately but aren’t included in downtime figures as patient services aren’t likely to have been impacted, only patient records.
Puerto Rico was included in our data but is not featured on any maps.
Data researcher: Charlotte Bond
Sources
https://healthitsecurity.com/topic/latest-health-data-breaches
