Healthcare cyberattacks surge: Ransomware behind one in three breached patient records

In the wake of escalating cyber threats and ballooning costs to health systems, new evidence reveals that ransomware has become a dominant driver of healthcare data breaches in the United States. The proliferation of ransomware attacks has coincided with a sharp rise in the volume and severity of breaches affecting protected health information (PHI) across hospitals, clinics, and insurance plans.

A new cross-sectional analysis, titled "Ransomware Attacks and Data Breaches in US Health Care Systems" and published in JAMA Network Open, quantifies this trend. Conducted by researchers from Michigan State University, Yale University, and Johns Hopkins University, the study analyzed data from 2010 to 2024, uncovering a dramatic transformation in the cybersecurity landscape of U.S. health care.

How prevalent has ransomware become in healthcare breaches?

The number of PHI data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) more than doubled between 2010 and 2024 - from 216 breaches to 566. Hacking or IT-related incidents, a category that includes ransomware, surged from accounting for just 4% of breaches in 2010 to 81% by 2024.

Within this broader category, ransomware emerged as a particularly destructive subset. In 2010, ransomware was absent from the public breach record. But by 2021, it was responsible for 31% of all breaches. Although this proportion decreased to 11% in 2024, the impact per incident increased sharply. Ransomware-related breaches affected 285 million patient records over the study period, more than one-third of all PHI records compromised between 2010 and 2024.

Even more striking, ransomware accounted for the majority of affected patients in recent years. In 2024 alone, ransomware was linked to 69% of all PHI records breached, despite comprising only 11% of total breach events. This reflects the large-scale operational reach and disruption capacity of each ransomware attack, disproportionately affecting entire systems and millions of patients at once.

Which entities are most at risk and why?

The study highlights that ransomware attacks are not confined to large health systems alone. Instead, they span the full range of HIPAA-covered entities, including hospitals, physician practices, health plans, and medical clearinghouses. These organizations are highly vulnerable due to a combination of high data sensitivity, outdated IT infrastructure, limited cybersecurity resources, and the critical need to maintain continuous operations.

The consequences extend beyond breached data. Ransomware attacks disrupt clinical workflows, halt billing and payment operations, and jeopardize patient safety. The February 2024 attack on Change Healthcare exemplifies the stakes. That single breach compromised the records of 100 million individuals and caused $2.4 billion in operational damages and recovery expenses across the industry.

While many breaches go unreported, particularly those involving fewer than 500 records, the available data point to systemic vulnerability. Health care systems are uniquely attractive to cybercriminals because of the high value of medical records, the urgency of access for patient care, and the historically slow pace of cybersecurity modernization in the sector.

The authors caution that the total ransomware footprint is likely undercounted. Some incidents evade detection, while others are obscured by vague classifications in OCR reporting. The study relied on narrative descriptions and digital forensic indicators, such as mentions of encryption, cryptocurrency ransom demands, and known attacker groups like LockBit or BlackCat, to identify ransomware attacks within hacking or IT categories.

What policy and security responses are needed?

The findings reveal a critical gap in how the U.S. healthcare system monitors and responds to cyberattacks. Ransomware is treated as a subset of hacking, lacking a dedicated classification field in federal breach reporting. This obscures its role and hinders effective response planning.

To improve surveillance and accountability, the researchers call for the inclusion of mandatory ransomware indicators in OCR breach reports. This would help differentiate ransomware from other forms of cyber intrusion and allow more accurate trend tracking. They also recommend revising severity metrics to account for the operational disruption, not just the number of records breached, as well as increasing federal attention to cryptocurrency transaction monitoring, which is often used for ransom payments.

The analysis further suggests that current regulatory and compliance frameworks fail to capture the full cost of ransomware in health care. By focusing solely on data exposure, they overlook the business continuity, patient care, and reputational damages incurred in major attacks. A more comprehensive risk model is needed to prioritize investments in cybersecurity, particularly for under-resourced hospitals and physician networks.

The study authors acknowledge limitations in their approach, including reliance on public data and underreporting biases. Nevertheless, the scale of documented breaches, over 732 million records affected between 2010 and 2024, demonstrates a clear upward trajectory driven by ransomware. Hacking and IT incidents alone accounted for 88% of all breached records in this period, with ransomware alone responsible for nearly 40%.