Ransomware attacks on health care facilities doubled from 2016 to 2020

The annual number of ransomware attacks on health care delivery organizations in the United States more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients, a recent study found.

Health care delivery organizations have become increasingly reliant on health information technology, Hannah T. Napresh, PhD, an assistant professor in the division of health policy and management at the University of Minnesota, and colleagues wrote in JAMA Health Forum. Exposure to cybersecurity risks has risen as a result.

“While some prominent ransomware attacks on health care delivery organizations have received considerable media attention, to our knowledge, there is presently no systematic documentation of the extent and effect of ransomware attacks,” they wrote.

The researchers created the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which combined proprietary data from the cybersecurity intelligence company HackNotice and from the HHS Office for Civil Rights data breach portal. They then used the data to identify breaches in cybersecurity, as well as ensuing disruptions and exposure of patients’ personal health information (PHI) at health care delivery organizations from 2016 to 2021. Breaches were considered ransomware attacks if supplemental data on the breach included a mention of “ransomware.”

“Our definition of ‘health care delivery organization’ was intentionally expansive, including hospitals, clinics, diagnostic laboratories, dental offices, substance use treatment centers, pharmacies, emergency medical services, and post-acute care facilities,” Napresh and colleagues wrote.

The researchers found that 374 ransomware attacks occurred during the examined timeframe, with the annual number of attacks doubling from 43 in 2016 to 91 in 2021. PHI exposure also rose from 1.3 million patients to 16.5 million patients from 2016 to 2021.

Of the total instances, 44.4% (n = 166) disrupted the health care delivery systems. Frequent disruptions included:

• electronic system downtime (n = 156; 41.7%);
• cancellations of scheduled care (n = 38; 10.2%); and
• ambulance diversion (n = 16; 4.3%).

Napresh and colleagues reported that ransomware attacks increasingly affected larger medical organizations with multiple facilities (marginal effect [ME] = 0.08; 95% CI, 0.05-0.1) and mental and behavioral health care delivery organizations (ME = 0.04; 95% CI, 0.01-0.06).

There was also a significant increase in the number of attacks in which stolen PHI data were publicly exposed (ME = 0.03; 95% CI, 0-0.06) and in the number of attacks that led to cancellations or delays in scheduled care (ME = 0.02; 95% CI, 0-0.05).

The researchers noted that the increase in larger organizations being attacked, as well as the jump in PHI exposure, could suggest that health care ransomware attacks “have increased in sophistication as well as in frequency.”

They also reported that the findings are consistent with reports that ransomware actors increasingly targeted health care delivery organizations during the COVID-19 pandemic. In 2020, close to 90 ransomware attacks occurred, whereas the previous high since 2016 had been about 65.

Napresh and colleagued faced several limitations. A number of ransomware attacks on organizations were omitted, and many of the findings were likely underestimates due to underreporting, according to the researchers. They were also unable to comment on traits of organizations that successfully evaded attacks.

Moving forward, the researchers advocated for more research on ransomware attacks “to more precisely understand the operational and clinical care consequences of these disruptions.”