On average, US healthcare organizations lose $1.9 million per day to downtime from ransomware attacks

Since 2018, US healthcare organizations have reported 654 successful ransomware attacks. These attacks compromised nearly 89 million patient records and had an often devastating impact on hospitals, clinics, and healthcare companies.

Over the last six years, we estimate healthcare organizations lost an average of $1.9 million per day of downtime following a ransomware attack, accumulating a total loss of $21.9 billion across the industry in downtime alone.

Ransomware attacks have been a well-known threat to medical organizations for several years, peaking during the pandemic (110 in 2020 and 118 in 2021). After a dip in attacks in 2022 (84), 2023 saw a record-breaking number of attacks with 143 in total. The number of records affected also skyrocketed in 2023 with over 26 million breached last year (compared to 7.4 million in 2020, 22.7 million in 2021, and 14.2 million in 2022).

While ransomware attacks, in general, are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker or the ransomware is removed by IT specialists.

For example, Ascension suffered a ransomware attack on May 8, 2024. The attack caused disruptions across its healthcare network, which includes around 140 hospitals. Those hospitals had limited access to electronic healthcare records, delayed and lost lab results, and even made medication errors. In total, it’s estimated that this will cost Ascension anywhere from $1.1 billion to $1.6 billion.

So, what is the true cost of these ransomware attacks across the healthcare sector in the US, how has the ransomware threat changed over the last few years, and what happened throughout 2024?

To find out, our team of researchers gathered information on all known ransomware attacks affecting medical organizations since 2018. Our team sifted through several different healthcare resources— specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US healthcare providers. We then used all of the available data on downtime and ransom amounts to estimate a range for the likely cost of ransomware attacks on medical organizations. Due to the limitations of uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Please note: we have separated healthcare-based organizations, such as hospitals, clinics, pharmacies, and care homes from businesses that cater solely to the healthcare industry, e.g. pharmaceutical companies and medical manufacturers. The focus of this study is on companies that primarily offer a healthcare service and directly deal with patients and their data. As a result, some figures may differ from previous versions of this study.

Key findings

From 2018 to 2024, we’ve noted:

  • 654 individual ransomware attacks on medical organizations. 2023 saw a huge increase with 143 noted in total
  • 88,777,107 individual patient records were impacted. 2023 saw a record-breaking amount (over 26.2 million in total)
  • Over the last six years, an average day of downtime cost each healthcare organization around $1.9 million
  • We estimate the total cost of these ransomware attacks in downtime alone is around $21.9 billion
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average medical organizations lost over 17 days to downtime across all years. 2018 saw the lowest average downtime (4 days) while 2022 saw the highest (27 days)
  • Ransomware amounts varied from $4,000 to $10 million
  • Hackers demanded nearly $64.7 million across 55 attacks with an average ransom demand of $1.18 million
  • Conti, Maze, Hive, and Pysa dominated from 2018 to 2022 with LockBit taking over in 2023 alongside ALPHV/BlackCat and Karakurt. In 2024, BianLian accounted for the most confirmed attacks with INC following closely behind

The true cost of ransomware attacks on healthcare organizations

Ransom demands varied dramatically from $4,000 to $10 million. Plus, only a handful of providers publicly release the figures involved (we could only find a ransom demand figure for 55 out of the 654 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid ransoms, because publicizing a payment may incentivize further attacks.

The largest known ransom demands on healthcare organizations are as follows:

  1. OrthoVirginia – $10 million: OrthoVirginia was attacked by Ryuk ransomware in February 2021. The attackers demanded a colossal $10 million, which OrthoVirginia refused to pay. OrthoVirginia reported that it took 18 months to recover from the attack.
  2. Acadian Ambulance – $7 million: In June 2024, the EMS provider faced a $7 million demand from ransomware gang Daixin Team. After weeks of negotiations, Acadian’s offer of $173,000 wasn’t enough for the hackers who alleged to have stolen data from 10 million patients. Acadian issued data breach notifications to nearly 2.9 million people.
  3. Lehigh Valley Health Network – $5 million: The Pennsylvania healthcare network refused to pay $5 million to the ALPHV/BlackCat ransomware group after a February 2023 breach. Over 248,000 people were notified.
  4. UF Health Central Florida – $5 million: Unknown hackers demanded a ransom of $5 million from UF Health in June 2021. UF Health Central Florida refused to comment on whether the ransom was paid or not, but a data breach report was filed for 700,981 patients.
  5. Ann & Robert H. Lurie Children’s Hospital of Chicago – $3.4 million: Rhysida not only caused widespread disruption to the children’s hospital by encrypting systems but it also alleged to have stolen data and issued a $3.4 million ransom demand for it. The hospital refused to pay and data breach notifications were issued to nearly 792,000 people.

Based on the figures we do have available, we know:

  • Average ransom demand:
    • 2024 – $1.06 million
    • 2023 – $1.24 million
    • 2022 – $783,000
    • 2021 – $4 million
    • 2020 – $536,000
    • 2019 – $405,000
    • 2018 – $29,500
  • Ransom demanded (known cases):
    • 2024 – $23.2 million (22 cases)
    • 2023 – $13.7 million (11 cases)
    • 2022 – $2.4 million (3 cases)
    • 2021 – $20 million (5 cases)
    • 2020 – $2.1 million (4 cases)
    • 2019 – $3.2 million (8 cases)
    • 2018 – $59,000 (2 cases)

Adding in downtime

It is difficult to ascertain just how much is lost in these attacks to paid ransom demands, but there is a cost that affects the majority of attacked organizations: downtime.

Downtime occurs when hospitals/clinics shut down and/or medical services are largely unavailable. As a result, they might have to resort to pen and paper processes, cancel appointments, and divert patients to other facilities. As we have already seen, servers may be taken offline for hours, weeks, and even months. In some cases, data and/or computers are unrecoverable.

To try and gauge how much these ransomware attacks cost US healthcare organizations, we used the overall recovery costs quoted by 15 entities following their ransomware attacks. Using these totals and the amount of downtime caused by the attack, we were able to estimate an overall average downtime cost per day: $1,865,474.

The average cost per day across each year was as follows:

  • 2024 – N/A
  • 2023 – $4,221,111 (2 known cases)
  • 2022 – $1,504,574 (3 known cases)
  • 2021 – $1,571,772 (3 known cases)
  • 2020 – $1,899,552 (3 known cases)
  • 2019 – $44,067 (3 known cases)
  • 2018 – $4,480,000 (1 known case)

Due to the huge variation in figures, we used the average figure across these 15 known figures. We also omitted the recent figure of $1.1 billion to $1.6 billion for Ascension due to this figure not being finalized.

As well as the aforementioned costs quoted for Ascension, some of the largest recovery figures were as follows:

  • CommonSpirit Health – $160 million: This October 2022 attack is estimated to have cost a staggering $160 million. After the organization was hit on October 2, most providers were able to regain access to electronic health records (EHR) by November 9. The attack also resulted in the breach of 623,774 records.
  • Scripps Health – $112.7 million: Following the attack in May 2021, EHR was brought back online four weeks later. This resulted in recovery costs of nearly $113 million. Scripps Health also notified nearly 1.3 million people of a data breach following the attack.
  • Ardent Health Services – $74 million: Hit by an unknown group of hackers in November 2023, Ardent Health Services took around nine days to restore access to its electronic medical record platform and core business/clinical systems. In an SEC filing, Ardent said the incident had had an adverse pre-tax impact of approximately $74 million for the year ending December 31, 2023. This estimate included lost revenue due to the disruptions and costs to remediate the issue. 23,686 people were issued data breach notifications.
  • Universal Health Services – $67 million: Following an attack by Ryuk in September 2020, UHS spent three weeks and $67 million recovering.
  • University of Vermont Health Network – $65 million: The health network suffered nearly a month’s worth of delays after its attack in October 2020, leading to costs of $65 million.

Ransomware attacks on healthcare organizations by month and year

Ransomware attacks started to take hold in the medical sector in 2020. Just 53 attacks were reported in 2019 but 110 were reported in 2020–a 108 percent year-on-year increase. These figures increased further in 2021 to reach 118 attacks, before dropping to 84 attacks in 2022. Sadly, this dip in attacks was short-lived as 2023 saw a new high with 143 reported in total. And with 118 reported in 2024 so far, it’s likely this year’s figure will be somewhat similar to 2023’s (many breach reports come months after an attack).

2023 also saw the highest number of breached records with over 26 million in total. 2021 saw the second highest with 22.7 million. 2024 has already recorded over 15 million breached records (which, again, is likely to increase as more data breaches are reported and figures finalized).

  • Number of attacks:
    • 2024 – 118
    • 2023 – 143
    • 2022 – 84
    • 2021 – 118
    • 2020 – 110
    • 2019 – 53
    • 2018 – 28
  • Number of patient records impacted:
    • 2024 – 15,148,946
    • 2023 – 26,228,756
    • 2022 – 14,165,829
    • 2021 – 22,676,331
    • 2020 – 7,441,520
    • 2019 – 2,548,795
    • 2018 – 566,930
  • Average downtime:
    • 2024 – 18.05 days
    • 2023 – 16.39 days
    • 2022 – 27.03 days
    • 2021 – 16.75 days
    • 2020 – 14.89 days
    • 2019 – 14.95 days
    • 2018 – 4.03 days
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2024 – 2,130 days
    • 2023 – 2,343 days
    • 2022 – 2,271 days
    • 2021 – 1,977 days
    • 2020 – 1,638 days
    • 2019 – 793 days
    • 2018 – 113 days
  • Estimated cost of downtime:
    • 2024 – $5bn
    • 2023 – $4.4bn
    • 2022 – $4.3bn
    • 2021 – $3.7bn
    • 2020 – $3bn
    • 2019 – $1.3bn
    • 2018 – $224m

Which state has seen the most ransomware attacks on medical organizations?

As we can see from the above map, California had the most ransomware attacks (66), accounting for just over 10 percent of the 654 attacks since 2018. But with such a large concentration of healthcare providers within this state, perhaps this isn’t too much of a surprise. Texas had the second highest with 49 reported healthcare ransomware attacks over the last six years, closely followed by New York with 47.

It’s a similar picture for the number of records affected, too. California saw the most records impacted (over 12.6 million in total). The majority of these records stem from two attacks–a December 2022 attack on Regal Medical Group affecting nearly 3.4 million patients’ records and the April 2021 hack on SmileBrands, Inc. which affected 2.6 million patient records.

Florida had the second-highest number of records affected (nearly 7.4 million patient records), followed by Texas (nearly 7 million patient records).

At the other end of the scale are North Dakota and South Dakota. Both have seen just one ransomware attack each over the last six years. No records are noted as being impacted in the South Dakota breach.

Patients whose data is compromised could live in any state and aren’t necessarily from the same state as the breached organization.

Ransomware attacks remain a dominant threat for US healthcare organizations

So far this year, 118 confirmed ransomware attacks took place in the US healthcare sector. We are also monitoring a further 147 unconfirmed attacks (ones that are claimed by ransomware groups but with no confirmation from the affected entity) on this sector. So, with a couple of weeks still to go until the end of the year, it’s highly likely that 2024 will see similar figures to 2023. This is also the case with the number of people impacted in these attacks with over 15 million breached patient records reported this year so far.

The amount of downtime caused by these attacks also remains high. With widespread disruption witnessed in a number of attacks in the past couple of months alone (including the likes of PrimaryPlus, Watsonville Community Hospital, and Brockton Neighborhood Health Center), it’s clear that hackers aren’t just succeeding in data theft but are causing unprecedented disruption with their malware.

Methodology

Our research found 654 ransomware attacks in total using specialist IT news, data breach reports, company notifications, and state reporting tools. We tried to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the healthcare entities where no downtime figures were available.

We looked through each organization’s financial statements and reports (where available) to find out the financial impact of these attacks. We then used these figures and the number of days of downtime to create an average cost of downtime per day. This was then used to estimate the cost of each attack where figures were unavailable. For example, Akumin, Inc. noted costs of $6.6 million in relation to its attack, which made systems unavailable for 30 days. This creates a daily cost of $220,000.

We only include ransomware attacks that have specifically targeted a medical facility that offers patient services.

This year, we focused on attacks from 2018 to present. Previously, we had included data from 2016 and 2017, but these were removed to align our data with our ransomware trackers and to ensure data was as up to date as possible.

Data researcher: Danka Delić

For sources, please see our US ransomware tracker.