BakerHostetler: Ransomware in Decline with Fewer Attacks and Lower Payments
Healthcare continues to be the sector most targeted by ransomware groups, according to the BakerHostetler 2025 Data Security Incident Response Report. Out of the ransomware incidents the law firm was involved with last year, 36% were on healthcare organizations, and those attacks typically disrupted patient care and resulted in revenue loss. There are signs, however, that ransomware is in decline, with fewer attacks and lower payments last year. BakerHostetler has identified an increase in fraudulent wire transfers, suggesting threat actors are responding to the falling profitability of ransomware attacks by making money in other ways. Fraudulent transfers increased by 302% year over year, with an average transfer of $1,256,797 and a median transfer of $130,000. While that may have been true for 2024, reports published earlier this month by cybersecurity firms suggest ransomware groups are conducting more attacks due to the increased reluctance of victims to pay ransoms. Several firms reported that Q1 2025 was a record-breaking quarter for ransomware attacks.
In 2024, based on the 1,250+ incidents BakerHostetler was involved with, the average ransom demand in an attack on a healthcare organization was $1,889,573, and the median demand was $1.4 million. There is often scope for negotiation of ransom demands, as the average ransom paid by a healthcare organization was $847,875, and the median payment was $375,000. Across all industry sectors, the average ransom demand was $2,502,565, and the average ransom payment was $916,203. Excluding an outlier, the largest ransom payment of $22 million, the average ransom payment was down 33% year-over-year to $501,338.
The average time taken to achieve acceptable restoration after a ransomware attack was 27.2 days, and the median restoration time was 24 days. There was a slight increase in detection time, which rose from 2 to 3 days, but a significant reduction in analysis time, with the median time falling from 33 days in 2023 to 26 days in 2024. The reduction in analysis time is a key factor contributing to falling forensic costs, which fell for the third straight year, dropping 30% from 2022 and falling from an average of $580,125 in 2023 to $41,145 in 2024.
BakerHostetler puts this down to the use of EDR and triage tools that make assessments easier, SIEM/cloud and virtualization, which makes it easier to obtain host and network logs, and a maturing industry with more firms offering digital forensics services. The average time for detection, containment, and forensic analysis with EDR tools was far lower, with detection faster by 7 days on average, containment 0.3 days faster, and 5.3 fewer days on forensic analysis, which translates into a 15% reduction in forensic investigation costs.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There has been a decline in the use of malware by ransomware groups, with more attacks involving compromised admin credentials and living-off-the-land techniques, which reduces the risk of detection. The most common root cause of attacks was phishing (24%), followed by the exploitation of unpatched vulnerabilities (16%), other methods such as device theft (11%), and brute force attacks/credential stuffing (9%). The root cause could not be determined in 18% of attacks.
Only 51 of the 518 disclosed incidents led to lawsuits, down from 58 out of 493 disclosed incidents in 2023. Last year was the first year in five to see a fall in the number of lawsuits in response to security incidents. Out of the 51 incidents that resulted in litigation, 44 involved the theft of Social Security numbers, and 35 involved the theft of medical/health information, with 27 healthcare data breaches resulting in litigation.
While lawsuits may be filed, courts have been willing to dismiss cases with specious harm allegations. Courts require a concrete injury to have been sustained that is fairly traceable to the data breach, rather than an increased risk of harm due to the theft of sensitive data. Two notable dismissals of healthcare data breach lawsuits were the cases against CommonSpirit Health and Bienville Orthopedic Specialists. In both cases, while there were allegations of fraud, the courts determined that the fraud was not fairly traceable to a specific data breach.
In the report, BakerHostetler draws attention to the importance of HIPAA compliance in healthcare. While the increased focus on reproductive healthcare privacy under the Biden administration may not be shared by the Trump administration, that could all change after the midterms and could once again become a major focus in 4 years under a new administration. It is vital to comply with the law as is, until such time that the HIPAA Privacy Rule reproductive healthcare privacy update is rescinded.
Last year, there was an increased focus on security, and it is likely to remain a focus for OCR under the Trump administration. OCR initiated a new risk analysis enforcement initiative under the Biden administration, and there were four enforcement actions under the risk analysis initiative last year, and a further two in 2025. Last year, OCR resolved eight investigations of ransomware attacks with financial penalties, and ransomware attacks are likely to remain a focus for OCR given the number of attacks conducted on the healthcare sector. “OCR showed it is not swayed by entities’ victim status and will use the attack to conduct a detailed HIPAA compliance audit, adding to the overall cost of the attack,” explained BakerHostetler. There has also been an increased focus on HIPAA compliance at business associates, with OCR appearing to recognize the important role they play in the healthcare industry and the number of breaches with business associate involvement. Business associates are likely to continue to face increased scrutiny over the coming year.
OCR continues to actively enforce compliance with the HIPAA Right of Access, which has been the most common reason for financial penalties over the past 5 years; however, there has been an increased focus on penalties for noncompliance uncovered during investigations of hacking incidents. In 2024, 13 enforcement actions that resulted in financial penalties were for hacking incidents, compared to just 6 enforcement actions for HIPAA Right of Access failures. “Cybersecurity has proven to be a bipartisan issue,” explained BakerHostetler. “We feel confident it will continue to be top of mind as the new administration sets its agenda.”
