Ransomware Attacks on Healthcare Facilities Have Doubled

Statistics on Ransomware in Healthcare

67% of surveyed healthcare organizations were hit by ransomware in 2024, according to Sophos – a four-year high. And, while a 2025 report shows that healthcare organizations are strengthening their defenses, rates of data recovery after an attack have been decreasing.

The typical cost & impact of an attack

Ransomware attacks can be extremely costly and disruptive for a healthcare organization, as UMN’s report found:

• Nearly half of the attacks (44.4%) disrupted the actual delivery of healthcare.
• In 8.6% of the attacks, operations were disrupted for more than 2 weeks.
• In addition to the operational disruptions, the attacks exposed the protected health information (PHI) of nearly 42 million patients.
• Attacks have forced many health facilities to cancel scheduled care, revert to paper records and even divert ambulances to alternative hospitals.

On average, it costs about $1.02 million for a healthcare provider to recover from a ransomware attack, according to Sophos. However, these costs can skyrocket for some attacks, as the examples below illustrate.

Ransomware Attacks on Healthcare Facilities

Change Healthcare

The 2024 ransomware attack on Change Healthcare – a payment-processing subsidiary of UnitedHealth – is now considered one of the most disruptive healthcare cyberattacks in history. The attack crippled billing and prescription processing for pharmacies and hospitals nationwide for weeks. Worse yet, the attack compromised the personal data of millions.

The impact:

• 94% of hospitals were affected by the breach, according to an American Hospital Association (AHA) survey, even though the attack was on a single vendor.
• More than 190 Americans’ personal/medical data was compromised.
• Change Healthcare paid a $22 million ransom to its attackers, but did not get its data back.

Ascension Health

In May 2024, Ascension—one of the largest nonprofit health systems in the U.S.—suffered a ransomware attack caused by a single employee who accidentally downloaded a malicious file, allowing attackers to infiltrate seven of Ascension’s 25,000 servers.

The impact:

• Several of Ascension’s hospitals were forced to divert ambulances to other facilities and pause elective surgeries. Clinical staff reverted to manual “pen and paper” charting for approximately six weeks.
• More than 5.5 million medical records were compromised, making it one of the largest breaches of the year.
• Ascension reported a $1.8 billion operating loss for the fiscal year, and the health system now faces multiple class-action lawsuits alleging negligence in protecting patient data.

Universal Health Services (UHS)

Back in September 2020, the attack on Universal Health Services (UHS) was considered one of the worst ransomware attacks on the healthcare industry at the time. UHS has over 400 facilities located in the U.S. and Great Britain, and the attack took down the computer networks for all of them simultaneously.

The impact:

• As the attack unfolded, ambulances had to be redirected, patients relocated and IT systems were taken offline.
• Staff were forced to convert to paper systems. These aren’t nearly as efficient, especially when working under emergency conditions, because they significantly slow down processes.
• UHS systems were offline for roughly three weeks, and it was determined Ryuk ransomware was the culprit.

Reportedly, UHS didn’t pay the ransom. Ultimately though, they suffered $67 million in losses due to the malware attack.

Sky Lakes Medical Center

In October 2020, the Sky Lakes Medical Center in Klamath Falls, OR, was crippled by a ransomware attack that froze patient medical records, delayed surgeries, curbed diagnostic imaging and negatively impacted the facility’s ability to offer computer-controlled cancer treatments.

The impact:

• In an announcement filed at the time, the medical center admitted its computer systems were compromised but found no evidence patient records were breached.
• A day later, some operations were restored but functioning was “slower” per the facility.
• In early November, the organization announced it was replacing PCs at risk for infection and rebuilding others to create a virus-free network.

Sky Lakes Medical Center was able to restore its systems from the Ryuk ransomware attack and did not pay cybercriminals any ransom. In total, they replaced about 2,000 computers.

St. Lawrence Health System

Upstate New York-based St. Lawrence Health System announced in October 2020 that three of its hospitals (Canton-Potsdam, Massena and Gouverneur) had suffered ransomware attacks from the Ryuk ransomware variant. The attacks were detected several hours after the initial compromise, and authorities were notified. As a result of the breach, the facilities were forced to shut down their computer systems to contain the spread of the malware, and they were also forced to divert ambulances.

The impact:

• “The Health System’s Information Systems (IS) department disconnected all systems and shut down the affected network to prevent further propagation,” the health system said in a news release, per WWNY.
• “These locations are utilizing their established backup processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”
• The healthcare organization further went on to say they analyzed the attack and “established a mitigation and remediation plan” with plans to reboot facility systems. The news release stated no patient or employee data appears to have been compromised.

Sonoma Valley Hospital

In October 2020, the California-based Sonoma Valley Hospital was also infected by ransomware. Attackers took tens of thousands of patient records, including personal and medical data. This event was part of a larger attack that was targeting hospitals across the U.S.

In response, Sonoma Valley Hospital quickly notified law enforcement and followed up with a letter to the affected patients. Once the breach was discovered, the facility shut down its computers.

The impact:

• During the course of its investigation, Sonoma Valley Hospital estimated roughly 67,000 patients whose insurers were billed for medical services between 2009 and later may have been compromised.
• Other patient information or patient financial information (credit cards and SSNs) were not impacted.
• The event was publicly disclosed in December 2020. According to media reports, Sonoma Valley Hospital did not pay threat actors the demanded ransom.

Rehoboth McKinley Christian Health Care

New Mexico-based Rehoboth McKinley Christian Health Care is a nonprofit hospital that serves the Navajo Nation. In February 2021, the facility was targeted by a known ransomware group that not only encrypted sensitive employee information but also stole and leaked that data online. The exploited information included job applications, employee background checks and employee injury reports, along with some patient information, according to Health IT Security.

Upon discovery, systems were reportedly taken offline, and the hospital had to revert to paper processing to keep the facility running.

The impact:

• While tight-lipped initially, the hospital finally revealed in May 2021 that it was the victim of a ransomware attack that included data exfiltration.
• It’s unknown whether Rehoboth McKinley Christian Health Care paid the ransom, but media reports speculate that the facility may have met their demands since the hackers eventually removed the stolen data from their website.
• The breach compromised the data of over 207,000 individuals, leading to a class-action lawsuit.

St. Margaret’s Health

The February 2021 ransomware attack on St. Margaret’s Health is notable because it was the first hospital forced to permanently close its doors in the years following the attack. Initially, the Illinois-based hospital shut down its systems in an attempt to contain the infection. This included shutting down patient web portals and email systems. But the impact of this was costly and wide-ranging.

The impact:

• The attack prevented the hospital’s ability to submit claims to insurers (for months), sending it into a financial downspin.
• The Spring Valley hospital community had to divert patients (including emergencies) to another facility over 30 minutes away.
• The ensuing cash-flow crisis (combined with pandemic-era financial struggles), forced the health system to close all operations in 2023.

University Hospital

In September 2020, University Hospital in Newark, NJ, fell victim to a ransomware attack that stemmed from a deceptive phishing scheme. The attack, carried out by a group known as SunCrypt, stole and encrypted 240 GB of data, including patient information, according to Bleeping Computer.

The impact:

• To prevent the sensitive information from being published, the facility paid $670,000 in ransom.
• Before the ransom was paid, the cybercriminals posted an archive of 48,000 documents belonging to the NJ-based hospital, and the facility, knowing they had unencrypted data, wanted to ensure no additional sensitive information was published.
• Initially, the hackers were demanding $1.7 million in ransom, but decided to negotiate due to pandemic conditions caused by COVID-19. In exchange for the bitcoin amount, operators provided the hospital with a decryptor, all stolen data and an agreement not to share any more data or attack University Hospital again.

Conclusion

The examples above represent only a fraction of the threats currently targeting the healthcare industry. With ransomware attacks in healthcare hitting a four-year high in 2024, the tactics have shifted from simple data encryption to aggressive double-extortion and supply chain compromise. The costly impact of these incidents is continued evidence that health organizations must deploy more aggressive safeguards to prevent, mitigate and recover from ransomware.

Learn More about Protecting Your Healthcare Organization from Ransomware

Learn more about today’s recommended data protection for healthcare organizations to see how your facility can avert a costly ransomware attack with robust data backup, cybersecurity, business continuity and disaster recovery solutions. Schedule a meeting with one of our data-protection experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.