Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations.

The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks.

These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data.

Healthcare ransomware attacks cripple IT systems, prevent patient medical records from being accessed, cause disruption to patient care, and put patient safety at risk. Recovering data and restoring systems can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime. In 2020, the ransomware attack on the University of Vermont Health Network was costing $1.5 million a day in recovery costs and lost revenue.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech recently conducted a study to identify the true cost of ransomware attacks on US healthcare organizations. The researchers gathered information on all ransomware attacks reported to the US Department of Health and Human Services’ Office for Civil Rights since 2016, as well as attacks reported through media outlets but were not made public by OCR as they affected fewer than 500 individuals.

Calculating the true cost of healthcare ransomware attacks is difficult, as only limited data is made public. Ransoms may be paid, but the amounts are often not disclosed and attacks that affect fewer than 500 individuals are often not made public.

The researchers identified 92 healthcare ransomware attacks in 2020, including the attack on Blackbaud. More than 600 separate hospitals, clinics, and other healthcare facilities were affected by those attacks, with a further 100 affected by the attack on Blackbaud. Those attacks involved the theft or exposure of the protected health information of at least 18,069,012 patients.

Ransom demands were issued ranging from $300,000 to $1.14 million, with data from Coveware indicating an average ransom demand of $169,446 in 2020. $15.6 million in ransoms were demanded from healthcare organizations in the United States in 2020, and $2,112,744 is known to have been paid to ransomware gangs in 2020. The true figure is substantially higher as many ransoms were paid but the amounts were not publicly disclosed.

In addition to the ransom payment there is the cost of downtime, which in some cases can be weeks or months following the attack. Coveware research indicates the average downtime ranged from 15 days in Q1, 2020 to 21 days in Q4, 2020. The Comparitech researchers determined the total downtime from the attacks in 2020 was likely to be 1,669 days. Using a 2017 estimate of the cost of downtime of $8,662 per minute, the researchers determined the attacks cost at least $20.8 billion in 2020, which is more than double the estimated cost of ransomware attacks in 2019 ($8.46 billion).

The researchers identified 270 healthcare ransomware attacks in the United States between January 2016 and December 2020, which affected around 2,100 hospitals, clinics, and other healthcare facilities. The attacks resulted in the theft or encryption of the records of more than 25 million individuals, with the overall cost to the healthcare industry estimated to be $31 billion.


Healthcare ransomware attacks 2016-2020.  Source: Comparitech.

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

You can view the full findings from the Comparitech healthcare ransomware study on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.