HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.