Study Explores Extent of Hacking and Ransomware Attacks in Healthcare
Ransomware is one of the leading causes of healthcare data breaches, according to a new study by researchers at Michigan State University, Yale University, and Johns Hopkins University. The study, published in JAMA Network Open. The study revealed that over the past 15 years, ransomware attacks have resulted in the exposure or theft of the healthcare data of at least 285 million individuals. At the time when the study was conducted, the ransomware attack on Change Healthcare was listed on the HHS’ Office for Civil Rights breach portal as affecting 100 million individuals. The total has now been updated to 190 million affected individuals, so at least 375 million individuals have now been confirmed as having their health data stolen or exposed in ransomware attacks, and most likely considerably more.
While the first ransomware attacks occurred in the 1980s, ransomware did not start to proliferate until 2012/2013, and there was a significant uptick in attacks on hospitals and other healthcare providers in 2016. The first double extortion attacks started in 2019, where data was stolen and ransomware groups demanded payment to prevent the publication of the stolen data as well as to obtain the keys to decrypt files.
According to the study, by 2021, around one-third of healthcare data breaches were the result of ransomware attacks, when 222 attacks were reported to the HHS’ Office for Civil Rights. Since 2020, more than half the individuals affected by reportable data breaches have had their data exposed or stolen in ransomware attacks. While ransomware attacks were behind only 11% of reported data breaches affecting 500 or more individuals in 2024, at least 69% of all patient records compromised in 2024 were due to ransomware attacks.
When OCR first started publishing data breaches on its data breach portal in late 2009, the majority of data breaches were due to loss, theft, improper disposal, and unauthorized access/disclosure incidents. Hacking and other IT incidents accounted for just 4% of data breaches in 2010, but by 2017, hacking and other IT incidents overtook all other breach types, accounting for 42% of reported data breaches and 70% of the affected individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Of the 732 million individuals affected by healthcare data breaches between 2010 and 2024, 88% of those individuals had their data exposed or stolen in hacking/IT incidents, and 39% of individuals were victims of ransomware attacks. In 2024, hacking and other incidents accounted for 81% of all reported breaches and at least 91% of all breached records.
“Ransomware has become the most disruptive force in health care cybersecurity,” said John (Xuefeng) Jiang, Eli Broad Endowed Professor of accounting and information systems at the MSU Broad College of Business and lead author of the study. “Hospitals have been forced to delay care, shut down systems, and divert patients — all while sensitive patient data is held hostage.”
One of the main problems facing the healthcare industry is a lack of investment in cybersecurity. Healthcare providers have limited resources, so they need to think carefully about the best way to allocate their limited budgets. Having accurate information on the nature of data breaches could help the industry to better prioritize investments; however, only limited information about the causes of data breaches is reported. For instance, victims of ransomware attacks now rarely disclose whether ransomware was involved.
“Whether it’s insiders making mistakes or criminal groups deploying ransomware, the effect on patients is the same: their most personal data is at risk,” said Ge Bai, professor of accounting and health policy at Johns Hopkins University. “By understanding what’s being targeted, we can help healthcare organizations strengthen their defenses.”
The researchers suggest that the HHS’ Office for Civil Rights should require HIPAA-regulated entities to disclose if ransomware was involved in a data breach, and require breach victims to also disclose how much care was disrupted by an attack, rather than just the number of individuals affected. They also recommend the monitoring of cryptocurrency flows to make it harder for ransomware groups to collect.
