HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

A new study by Comparitech has shed light on the extent to which ransomware has been used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry.

The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least 6,649,713 patients.

2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations.

74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Ransom demands can vary considerably from attack to attack. Ransom demands have ranged from around $1,600 to $14 million, with attacks on healthcare organizations seeing demands of $16.48 million in ransoms since 2016. Comparitech confirmed healthcare organizations have paid at least $640,000 to attackers for the keys to unlock encrypted files, but the true cost is likely to be considerably higher as many victims prefer not to make that information public.

Attacks often see appointments cancelled and permanent data loss is a real possibility. The time, effort, and cost of remediating attacks can be too high for some smaller healthcare providers. At least two healthcare clinics have shut down their practices as a result of ransomware attacks in 2019.

Ransom payments represent just a small fraction of the total cost of an attack. Restoring systems from backups, or even using the decryption keys provided by the attackers, can take a considerable amount of time. Rebuilding systems and restoring data can take a few hours to several weeks or months and the downtime from ransomware attacks is one of the biggest costs.

For the study, Comparitech used several different healthcare resources, data breach reports, IT news sources, and HHS’ Office for Civil Rights data, along with data from studies on the cost of downtime from ransomware attacks. Based on that information, the researchers produced a low and high estimate of the downtime cost for all 172 confirmed attacks since 2016. The low estimate for the cost of downtime was $157,896,000 and the high estimate was $240,800,000.

“With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike,” wrote the researchers. “Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse… Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.