25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Impact of Hospital Ransomware Attacks on Neighboring Hospitals

Posted By on May 30, 2024

A ransomware attack on a hospital involves the encryption of computer networks, rendering essential systems and data unavailable. Hospitals have to investigate the attack, identify how their network was breached, rebuild systems, and restore data safely and securely. That process takes time, and during the recovery, systems remain unavailable. The downtime can last anywhere from a few days to several weeks.

Ransomware attacks on hospitals have been increasing. Between 2016 and 2021, there were more than 370 ransomware attacks on US clinics, hospitals, and other healthcare organizations, with attacks doubling over that period. Attacks have continued to increase since 2021, with a sizeable increase in 2023.

As has been made clear by the ransomware attack on Ascension, the disruption caused can be considerable. The Ascension attack took many hospital IT systems out of action, resulting in diagnosis and treatment delays, canceled appointments and surgeries, and emergency departments being placed on divert. The effects of a ransomware attack are not only felt at the hospital that experienced the ransomware attack but also at neighboring hospitals that have to deal with increased patient volume, placing a strain on their resources.

A research letter recently published in JAMA confirmed the effect that ransomware attacks have on neighboring hospitals. The researchers analyzed patient discharge and emergency department (ED) data from the California Department of Health Care Access and Information between 2014 and 2020 and cross-referenced with data from the HHS’ Office for Civil Rights data breach portal and media coverage to identify hospitals that experienced ransomware attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The researchers identified 8 ransomware attacks that caused disruption at 15 hospitals and analyzed the data from other hospitals in the same service area – hospitals within a four-mile radius of the attacked hospital. If no other facilities were within four miles, the researchers looked at data from the two nearest hospitals. The researchers showed that there was a temporary decrease in ED visits and inpatient admissions at hospitals that were hit with ransomware attacks, while neighboring hospitals experienced an increase in ED volume, although no significant difference in inpatient admissions.

In the week after a ransomware attack, the attacked hospitals experienced an average 8.10% reduction in ED visits and an 8.16% decrease in inpatient admissions. In the second week after a ransomware attack, there was a 16.21% decrease in ED visits and a 16.62% reduction in inpatient admissions. On average it took 8 weeks from the date of the attack for the ED visits and inpatient admissions to return to normal levels. The data showed an increase in ED visits at neighboring hospitals during the recovery period. An attack in California that affected 4 healthcare facilities resulted in a 15% increase in ED visits at nearby healthcare facilities. The study confirmed that a ransomware attack on one hospital does not just affect patients of that facility, it can have a negative effect on an entire community.

Previous studies have explored the link between ransomware attacks and mortality rates at hospitals. While there is little evidence of a ransomware attack directly leading to the death of a patient, patient care is affected by the lack of access to patient data, which causes diagnosis and treatment delays and increases the risk of medical errors and complications.

28% of respondents in a 2022 Proofpoint survey of healthcare professionals at U.S. hospitals reported an increase in the mortality rate after a ransomware attack, and 57% said they experienced poorer patient outcomes due to cyberattacks. A year earlier, a similar survey by Censinet had similar findings, with 22% of respondents reporting an increase in mortality rate after a ransomware attack. A recent analysis published by STAT suggests the mortality rate at hospitals increases from around 3 in every 100 patients to 4 in every 100 after a ransomware attack, with the researchers estimating that ransomware attacks have resulted in the deaths of between 42 and 67 Medicare patients between 2016 and 2021.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist