Ransomware attacks on America’s health care systems more than doubled from 2016 to 2021, exposing the personal health information of millions
The annual number of ransomware attacks on health care provider organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million individuals. A new report from the University of Minnesota School of Public Health (SPH), published in the Journal of the American Medical Association (JAMA) Health Forum, shows that ransomware attacks on healthcare providers are not just increasing in frequency, they are also becoming more severe — exposing larger quantities of personal health information and affecting large organizations with multiple health care facilities.
To conduct the study, researchers created a database called the Tracking Healthcare Ransomware Events and Traits (THREAT), a unique tool that for the first time allows researchers to track the occurrence of ransomware attacks on health care provider organizations.
Ransomware is a type of malicious software that prevents users from accessing their electronic systems and demands a ransom to restore access. While some prominent ransomware attacks on health care delivery organizations have received media attention, there is currently no systematic documentation of the extent and effect of ransomware attacks on our health care system.
In the first-ever comprehensive analysis of ransomware attacks on U.S. health care providers, researchers documented that between 2016 and 2021:
- 374 instances of ransomware attacks on health care delivery organizations exposed the personal health information of nearly 42 million individuals.
- Ransomware attacks more than doubled on an annual basis, from 43 to 91 per year.
- The number of individuals whose personal health information was exposed increased from approximately 1.3 million in 2016 to more than 16.5 million in 2021.
- Disruptions in care for patients as a result of ransomware incidents occurred in 166 — or 44% — of attacks.
- Among health care delivery facilities, clinics were the most frequent targets of ransomware attacks, followed by hospitals, ambulatory surgical centers, mental/behavioral health facilities, dental practices and post-acute care organizations.
“As health care delivery organizations have increased their reliance on information technology to serve their patients, they have unfortunately also increased their potential exposure to cybersecurity risks, such as ransomware attacks,” said Hannah Neprash, lead author and an assistant professor at SPH. “Despite this increased risk, information about the frequency and scope of these attacks is limited to anecdotal news coverage. This study and the development of the THREAT database addresses this gap, providing the first peer-reviewed analysis of the threat that ransomware poses to health care providers and the millions of patients they serve.”
Further research is needed to more precisely understand the operational and clinical care consequences of ransomware attacks on health care providers. The researchers also suggest that as policymakers craft legislation aimed at countering the threat of ransomware across multiple industries, they should consider the specific needs of health care delivery organizations and the potentially harmful consequences on patient care.
About the School of Public Health
The University of Minnesota School of Public Health improves the health and wellbeing of populations and communities around the world by bringing innovative research, learning, and concrete actions to today’s biggest health challenges. We prepare some of the most influential leaders in the field, and partner with health departments, communities, and policymakers to advance health equity for all. Learn more at sph.umn.edu.