Microsoft reports that over 389 U.S. healthcare institutions were paralyzed by ransomware in 2024 alone, marking a 300% increase in incidents since 2015. These attacks disrupt operations on a scale that is unmanageable for many hospitals, delaying critical patient care and causing downtime losses of up to $900,000 per day.
Cyberattacks on healthcare facilities have broadened in frequency and scope due to Ransomware-as-a-Service (RaaS) models, which make it possible for even the least skilled attackers to extort millions of targeted organizations. Common attack methods include phishing, exploiting unpatched systems, and double extortion, where attackers demand a ransom to prevent data leaks.
While the average ransom payout rose to $4.4 million, beyond finances, its impacts ripple to patient outcomes dramatically, causing surgery delays, postponed emergency care, and longer wait times.
One research reports that even neighboring facilities are overburned during these attacks, with a large number of displaced emergency patients. During one such event, stroke cases reported a 113% rise in nearby hospitals, and survival rates plummeted—from 40% to 4.5% for out-of-hospital cardiac arrests during attack periods.
Earlier this year, Change Healthcare was infiltrated by the BlackCat ransomware group, which accessed systems lacking multi-factor authentication. UnitedHealth Group (UHG), which owns Change Healthcare, confirmed that the breach involved data on almost a third of the U.S. population. Following the attack, Change Healthcare had to shut down portions of its network, and months later, it still hasn’t fully recovered.
“The cyberattack laid bare the vulnerability of our nation’s healthcare infrastructure,” said a spokesperson for UHG.
UHG reportedly paid an unprecedented $22 million ransom to the ALPHV/BlackCat group behind the Change Healthcare attack. While Change secured a copy of the stolen data in return, there is no evidence that the cybercriminals actually deleted it, raising questions about the effectiveness of ransom payments as a strategy.
Nation-states like Russia, China, and Iran leverage these for espionage or geopolitical advantage. Iran’s Pioneer Kitten has specifically targeted American healthcare for data theft and ransom. Such threats reflect the increased interest of hostile state actors in destabilizing U.S. healthcare.
These incidents have sparked calls for stronger regulatory safeguards. Senator Ron Wyden recently criticized UnitedHealth’s “lax cybersecurity practices,” urging Congress to impose stricter cybersecurity standards for healthcare providers, particularly those managing vast amounts of patient data. Regulatory bodies, such as the Department of Health and Human Services (HHS), have echoed these concerns, advocating for cybersecurity investments that extend beyond data privacy to encompass resilience measures aimed at protecting service availability and patient safety.
In the meantime, hospitals continue to absorb the losses while cybercriminals exploit the U.S. healthcare system’s vulnerabilities. Until new regulations take hold, patients and providers alike face continued threats to both safety and financial stability, as ransomware remains a formidable adversary in American healthcare.