Since 2018, there have been 743 publicly-confirmed ransomware attacks on healthcare organizations around the world. Over the last four years, the cost per day of these attacks has been around US$900,000 in downtime alone.
In total, we estimate the total cost of these attacks exceeds US$10 billion.
Ransomware attacks have the potential to cause widespread disruption to any organization. Not only can they encrypt key systems, they can put personal data at risk of theft and exploitation. In a healthcare environment, the stakes are even higher. Critical systems and patient data may become inaccessible, causing severe–and sometimes unrecoverable–delays and expenses.
Below, we explore the extent of ransomware attacks across healthcare organizations around the world. Using data from our worldwide ransomware tracker, our team explored the growing threat of ransomware in the healthcare sector and the true cost of these attacks. We only include publicly-confirmed attacks, so our figures likely only scratch the surface.
Note that just because a country may be denoted as having a higher number of attacks than others, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.
Key findings
From the beginning of 2018 to February 2024, our research found:
- 743 individual ransomware attacks on healthcare organizations. 2021 was the biggest year for attacks with 176 in total
- 2023 saw an uptick in attacks after a dip in 2022, rising to 162 from 136
- 82,620,953 individual patient records were impacted in these attacks–at least. 2023 saw 19.2 million affected–slightly less than the biggest year (2021 with 20.1 million)
- Over the last four years, an average day of downtime cost healthcare organizations around $900,000
- We estimate the total cost of these ransomware incidents exceeds $10 billion in downtime alone
- Downtime varied from a couple of hours of disruption to several months of systems not being at full capacity
- Hospitals lose a couple of weeks to downtime per attack, on average
- Ransom demands varied from $900 to $24.5 million
- The average ransom demand is just over $2 million
- LockBit carried out the most known attacks in 2023, closely followed by Karakurt. Hive was the most-used strain in 2022, with Pysa, Conti, and Vice Society being more dominant in 2019-2021
The true cost of ransomware attacks on healthcare organizations
Ransom demands can vary considerably with our figures finding ransoms as low as $900 (disclosed by the Centre Hospitalier de la Tour Blanche à Issoudun in France in its 2019 attack) and as high as $24.5 million or Rs 200 crore, which was allegedly demanded from the All India Institute of Medical Sciences (AIIMS). Understandably, many organizations don’t reveal the amounts demanded–especially when they’ve paid the hackers.
We found ransom figures in 74 cases. As well as the AIIMS one mentioned above, some other large figures were disclosed by:
- Health Service Executive (HSE), Ireland – $20 million: In May 2021, Conti demanded this figure from the HSE. It didn’t pay the ransom and recovery efforts went on for months.
- CUF, Portugal – $10.8 million: SamSam hit the hospital network in August 2018 and demanded €10 million. This wasn’t paid.
- Hillel Yaffe Medical Center, Israel – $10 million: In October 2021, hackers demanded $10 million from Israel’s Hillel Yaffe Medical Center. The center chose not to pay but recovery efforts took around one month.
- Le Centre Hospitalier Sud Francilien, France – $10 million: The CHSF in France was subject to a $10 million ransom demand in August 2022. The LockBit hackers later reduced this to $1 million. It wasn’t paid.
- OrthoVirginia, US – $10 million: In February 2021, OrthoVirginia received a $10 million ransom demand from Ryuk, which it didn’t pay. Recovery efforts took 18 months.
Based on the figures we do have available, we know:
- Average ransom demand:
- 2024 (to Feb) – $1,200,098
- 2023 – $1,416,089
- 2022 – $2,945,849
- 2021 – $4,218,910
- 2020 – $603,821
- 2019 – $356,937
- 2018 – $1,812,833
- Ransom demanded (known cases):
- 2024 (to Feb) – $6 million (5 cases)
- 2023 – $21.2 million (15 cases)
- 2022 – $47.1 million (16 cases)
- 2021 – $59.1 million (14 cases)
- 2020 – $4.2 million (7 cases)
- 2019 – $3.9 million (11 cases)
- 2018 – $10.9 million (6 cases)
The above shows us how the average ransom demand has decreased in recent years. There also appear to be fewer confirmed ransom payments. However, as the awareness around ransomware has grown, companies are likely keeping quiet on how much ransom demands were and whether or not they’ve paid them. Many believe that admitting to paying ransoms encourages further attacks.
This is reflected in the fact that no paid ransom amounts were revealed in 2023 and only one has been revealed in 2022: just over $2 million was paid by Colosseum Dental after hackers wreaked havoc with the systems across over 130 branches across Luxembourg, Belgium, and the Netherlands.
Adding in downtime
While calculating the cost of ransomware attacks through ransom payments is difficult, there is one aspect from these attacks that is easier to gauge–downtime.
In many cases, ransomware attacks render systems inaccessible for hours, days, weeks, and even months at a time. And in some of the worst cases, systems are completely unrecoverable.
To try and estimate the true cost of ransomware attacks on healthcare organizations, we used the overall ransomware recovery costs quoted by 33 entities. Using these amounts and the downtime caused in each of these attacks, we’ve created an average downtime cost per day per year. These are as follows:
- 2024 – no data available
- 2023 – $835,241*
- 2022 – $958,289
- 2021 – $941,776
- 2020 – $892,009
- 2018/19 – $566,493*
*Due to limited figures, the cost per day of downtime in 2018 and 2019 is based on an average of figures available for both years. 2023’s figures are also based on those available for 2023 and 2022 as limited data is available for 2023 with many financial reports still underway.
These figures demonstrate that the average cost of downtime to healthcare organizations has been around $900,000 per day for the last four years. Using these totals, we estimate that the total cost of ransomware attacks on these organizations since 2018 likely exceeds $10 billion.
Some of the biggest known recovery costs are as follows:
- CommonSpirit Health, US – $160 million: The estimated cost for this October 2022 attack is a whopping $160 million. After being hit on October 2, most providers had regained access to electronic health records (EHR) by November 9. The attack also resulted in the breach of 623,774 records.
- Scripps Health, US – $112.7 million: EHR was brought back online four weeks after the May 2021 attack. This led to recovery costs of $112.7 million. The data breach affected 147,267 people.
- Health Service Executive (HSE), Ireland – $96.5 million: As well as one of the biggest ransom demands, HSE was also hit with one of the biggest known healthcare recovery costs. It spent €89.7 million in response and recovery from the cyber attack. It also spent a further €54.8 million in IT upgrades (not included as not part of the downtime/impact). Recovery efforts ultimately lasted more than four months.
- Universal Health Services, US – $67 million: Following the attack in September 2020 by Ryuk, UHS spent three weeks and $67 million recovering.
- University of Vermont Health Network, US – $65 million: This attack in October 2020 caused nearly a month’s worth of delays for the health network and cost $65 million. Just last month, a Ukrainian man pled guilty to his role in the attack. He will be sentenced in May and faces up to 20 years in prison for this charge.
Ransomware attacks on healthcare organizations by year
As we’ve mentioned above, 2021 was the biggest year for ransomware attacks on healthcare organizations, accounting for nearly 24 percent (176) of all the attacks since 2018. However, following a dip in 2022, 2023 saw a significant rise in the number of attacks–increasing by 19 percent from 136 in 2022 to 162 in 2023.
The number of records affected also followed a similar trend with 20.1 million affected in 2021, 16.3 million affected in 2022, and 19.2 million affected in 2023. Data breaches are sometimes reported months after the incident, so it’s likely 2023’s figure will rise even further yet, potentially exceeding those of 2021.
- Number of attacks:
- 2024 (to Feb) – 12
- 2023 – 162
- 2022 – 136
- 2021 – 176
- 2020 – 143
- 2019 – 78
- 2018 – 36
- Number of patient records impacted:
- 2024 (to Feb) – 300,000
- 2023 – 19,185,486
- 2022 – 16,311,589
- 2021 – 20,862,007
- 2020 – 6,553,227
- 2019 – 18,752,581
- 2018 – 656,063
- Average downtime:
- 2024 (to Feb) – 10 days
- 2023 – 15.7 days
- 2022 – 21 days
- 2021 – 16.3 days
- 2020 – 14.5 days
- 2019 – 12.8 days
- 2018 – 3.4 days
- Downtime caused (known cases):
- 2024 (to Feb) – 40 days (4 cases)
- 2023 – 674 days (43 cases)
- 2022 – 987 days (46 cases)
- 2021 – 751 days (46 cases)
- 2020 – 478 days (33 cases)
- 2019 – 334 days (26 cases)
- 2018 – 37 days (11 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2024 (to Feb) – 120 days
- 2023 – 2,539 days
- 2022 – 2,877 days
- 2021 – 2,876 days
- 2020 – 2,069 days
- 2019 – 996 days
- 2018 – 122 days
- Estimated cost of downtime:
- 2024 (to Feb) – $100.2m*
- 2023 – $2.2bn
- 2022 – $2.8bn
- 2021 – $2.6bn
- 2020 – $1.8bn
- 2019 – $494.9m
- 2018 – $88.5m
*2024’s downtime figures are based on 2023’s cost per day.
Healthcare organizations remain a key target for ransomware attacks
While it may have looked like things were changing for the better in 2022, all hopes of reduced ransomware risks in the healthcare sector were quashed in 2023. With an uptick in attacks, high volumes of records impacted, and huge disruptions, the healthcare sector remains a key target for ransomware.
What does 2024 hold?
Already this year we’ve seen some huge attacks on the healthcare industry. The ongoing attack on Change Healthcare is arguably one of the biggest the industry has ever seen. With latest reports suggesting the organization may have paid the hackers (ALPHV/BlackCat) $22 million in ransom, this paints a bleak picture.
While organizations should avoid paying the ransom at all costs, it is often, unfortunately, the quickest way to regain access to systems and data. In the case of Change Healthcare, pharmacies across the US have been disrupted for 10 days and counting. This is not only having a huge impact on the business but on patients who are trying to get their prescriptions. If Change Healthcare has indeed paid the ransom, it’s likely because the alternative was more expensive and more disruptive.
Other large attacks include the one on Romania’s Hippocrates Information System which has impacted dozens of hospitals with disruptions ongoing, the attack on Ann & Robert H. Lurie Children’s Hospital of Chicago with Rhysida demanding $3.4 million in ransom, the one on Bezirkskliniken Mittelfranken in Germany with recent updates suggesting that the need to build a new IT infrastructure could take up to six months, and an attack on Centre Hospitalier d’Armentières in France which has impacted 300,000 patients’ data.
While no industry can afford the downtime and data breaches that often arise from ransomware attacks, the healthcare sector is arguably the most sensitive to such attacks. With patients’ health and private medical data at risk, this industry remains an attractive option for hackers. And if Change Healthcare’s ransom payment is confirmed, it may have just become an even more lucrative target.
Methodology
Using the database from our ransomware attack map, our research found 743 healthcare ransomware attacks in total. From this data we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused. Where the amount of downtime wasn’t available, we used an estimated number of days based on the average in that particular year.
We looked through each organization’s financial statements and reports (where available) to find out the financial impact of these attacks. We then used these figures and the number of days of downtime to create an average cost of downtime per day. This was then used to estimate the cost of each attack where figures were unavailable. For example, Le Centre Hospitalier Sud Francilien (CHSF) noted overall recovery costs of $7.49 million following its attack. With downtime lasting two months, this creates a daily cost of $122,787.
Each breach was categorized into one of 17 medical organization types, which are defined as follows:
- Academic hospital
- Ambulance service
- Clinic: a clinic offering all-around healthcare services
- Clinic network: a system of clinics operating from more than one location to offer all-around healthcare services
- Dental: a practice offering dental healthcare services
- Government health: a general government department/entity that’s involved in a health-related data breach, e.g. the Department of human services
- Home/senior care: this includes organizations that may provide social services in the local community
- Hospital
- Hospital network: a system of hospitals operating from more than one location to offer all-around healthcare services
- Laboratory: a health-based laboratory business
- Mental health: e.g. services offering support for addiction
- Optometry: a practice offering optical healthcare service
- Pharmacy: an organization/network specializing in pharmaceuticals
- Rehabilitation services
- Research
- Specialist clinic: a clinic that operates under a certain area of healthcare, e.g. physicians or rehabilitation centers
- Specialist clinic network: as above but operating from multiple clinics/locations
Data researchers: Charlotte Bond, Rebecca Moody