Throughout last year, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total is nearly $21 billion, according to a recent analysis from security company Comparitech.
For the research, Comparitech gathered information on all of the ransomware attacks affecting healthcare organizations since 2016. Importantly, however, breaches are only published by the U.S. Department of Health & Human Services (HHS) if they affect over 500 people. For those breaches impacting less than 500, the public might only find out if the healthcare organization undergoes severe disruption, which sometimes makes the news. If the latter is the case, these reports will have been included in this Comparitech study.
Ultimately, to figure out the true cost of ransomware attacks on U.S. healthcare organizations, the Comparitech team sifted through several different healthcare resources, including specialist IT news, data breach reports, and the HHS reporting tool, to collect as much data as possible on ransomware attacks healthcare providers. They then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to healthcare organizations. “Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem,” they noted.
Key findings from the report include:
- One of the 92 ransomware attacks in 2020 was the one on Blackbaud, a third-party service vendor whose clients around the world were affected by the wide-reaching security incident. To date, 100 U.S. healthcare organizations are noted as having been impacted by this attack, affecting over 12.3 million patient records.
- The 92 individual ransomware attacks on healthcare organizations represents a 60 percent increase from 2019.
- The 18,069,012 individual patients/records affected signifies 470 percent increase from 2019.
- Almost 50 percent of Maine’s population was impacted by ransomware attacks in 2020. Maine’s two impacted organizations are located solely in Maine, and both the Opportunity Alliance (4,500 records affected) and Northern Light Health (657,392 records affected) breaches were involved in the Blackbaud ransomware attack.
- Downtime varied from minimal impact due to frequent data backups to weeks or months of paper-only systems. One healthcare organization even lost all of the patient records involved in its attack.
- Based on the average ransom demand in 2020 being $169,446 (according to the average across all of the quarterly reports from Coveware data), hackers demanded an estimated $15.6 million in ransoms.
- According to Coveware, the average amount of time lost to downtime was 15, 16, 19, or 21 days for Q1, Q2, Q3, or Q4 of 2020, respectively. This means, in just a year, the downtime caused by these attacks has increased by nearly a week. Based on these figures and the quarter in which the attacks took place, ransomware attacks may have caused 1,669 days (40,056 hours) of downtime to healthcare organizations in 2020. A 2017 estimate places the average cost per minute of downtime at $8,662, and this would mean the cost of downtime to healthcare organizations in 2020 was around $20.8 billion.
- Hackers received at least $2,112,744 in ransom payments (plus the undisclosed amount paid by Blackbaud and several other attacks).
One organization, Universal Health Services (UHS), recently reported that it lost $67 million after its Ryuk ransomware attack in September 2020. It took three weeks for the organization to get its 400 U.S. health system sites back online. UHS was one of six U.S. hospitals in the space of 24 hours last fall that were hit with Ryuk ransomware attacks demanding up to $1 million. Some hospitals paid the attacker’s demands, according to a Washington Post report at the time. Federal agencies do not recommend paying ransoms, as payment does not guarantee that files will be recovered.
According to the Comparitech team, “Ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.