We identified 65 ransomware attacks on U.S. hospitals between 2016 and 2022 that met the study criteria, as detailed in Table 1. Our results revealed that the majority of ransomware incidents, 83.1%, occurred in metro hospitals. Rural and micro hospitals reported significantly fewer incidents, comprising 10.8% and 6.2% of cases, respectively. In terms of hospital size, medium-sized hospitals with 100–199 beds were disproportionately affected, experiencing 24.6% of all incidents. This may be significant as these hospitals represent only 19.2% of all U.S. hospitals, according to data from the AHA Annual Survey Database. In contrast, larger hospitals with 500 or more beds, which make up just 5.6% of all U.S. hospitals, were involved in 16.9% of the ransomware incidents. Meanwhile, smaller hospitals, with 6 to 24 beds, accounted for 9.2% of the incidents despite making up 14.3% of the national hospital population, according to the AHA Annual Survey Database. Seven themes emerged from the thematic analysis, summarized in Table 2. Each offered deeper insights into various aspects of ransomware incidents. The representative quotes provided a more detailed view of ransomware incidents within hospitals, illustrating the depth and variety of each identified theme.

Table 1 Characteristics of U.S. hospitalsTable 2 Summary of themes, codes, keywords, and Example quotes3.1 The scale of ransomware

In this theme, the large number of individuals affected and the diverse methods used by cybercriminals to gain unauthorized access to computers and networks illustrate the extent of ransomware attacks. Statements such as “a ransomware attack affecting the electronic protected health information (ePHI) of approximately 3,320,726 individuals” and “The covered entity (CE) reported that it was the victim of a ransomware attack that compromised the protected health information (PHI) of 1,228,093 individuals” exemplify the extensive impact of these hospital ransomware incidents.

Hospital information system architectures are complex, and incidents of ransomware can ripple throughout a network. Numerous ransomware attacks, varying in severity, were observed in the data across healthcare facilities. The data shows a wide array of healthcare facilities impacted by the network, as acknowledged in the statements from hospitals: “The [CE] [omitted name] Health + Hospitals reported that its business associate was the victim of a ransomware attack.”

Reported attack methods include phishing emails, exploiting server vulnerabilities, and other tactics to gain access to a computer or network. A common location for ransomware attacks is network servers. For example, one hospital reported a breach initiated by a phishing email: “The [CE], [omitted name], reported that on [omitted date], its workforce member responded to a phishing email,” while another incident involved ransomware placed directly on a server, impacting PHI storage: “Hackers placed ransomware on the [CE’s] computer server. The servers stored [PHI].”

Ransomware attacks often culminate in demands for payment, with some entities opting to pay the ransom to regain data access. In one case, “the hackers demanded a ransom, which the CE paid. After payment of the ransom, the CE regained access to the data on the server.” The challenges healthcare organizations face when responding to ransomware threats are evident in this case.

3.2 Extent of protected health information vulnerability

This theme addresses the vulnerabilities in hospital data security that make protected health information (PHI) susceptible to ransomware attacks. Vulnerabilities often involve compromised sensitive health details such as diagnoses, medications, medical histories, treatment records, and personal identifiers—names, driver’s license numbers, and contact details. Examples include:

“The PHI involved included names, addresses, dates of birth, and driver’s license numbers that were compromised.”

“Data on the servers was encrypted, including names, social security numbers, claims information.”

“The compromised ePHI involved included names, marital status, sex, race/ethnicity, and birthdates.”

Furthermore, incidents frequently expose social security numbers and financial data, enhancing the risk:

“The ePHI involved included names, addresses, dates of birth, email addresses, Social Security numbers, telephone numbers, financial information, and treatment information.”

“The PHI involved included names, dates of birth, Social Security numbers, addresses, driver’s license numbers, medications prescribed, diagnoses, and financial and other treatment information.”

Clinical and medical data vulnerabilities are highlighted by the accessibility of medical record numbers, prescriptions, lab results, and health insurance information:

“…diagnoses, prescription information, lab results, health insurance information, and other treatment information.”

“Claims information, diagnoses, lab results, medications prescribed, and other treatment information.”

“The ePHI involved included diagnostic images.”

The widespread nature of these vulnerabilities underscores the extensive risks to patient and private data in the face of ransomware threats.

3.3 Response and notification protocols

This theme details a comprehensive response to ransomware incidents by hospitals, ensuring compliance with legal mandates and maintaining transparency. Key protocols include notifying the Health and Human Services (HHS), the media, and affected individuals. Notably, notifications often lead to the Office for Civil Rights (OCR) providing technical assistance to ensure adherence to the Breach Notification Rule. For instance, it was reported that “The CE notified HHS, affected individuals, and the media. OCR provided the CE with technical assistance regarding the Breach Notification Rule.”

Hospitals routinely utilize substitute notices and issue detailed media statements to disclose incidents. Media statements following the ransomware incident were also issued. Examples of this include, “The CE and BA notified HHS, affected individuals, and the media, and provided substitute notice,” and “The CE notified HHS, affected individuals, the media, and posted substitute notice on its website.”

3.4 Implementation of safeguards

Hospitals have responded to ransomware attacks by implementing a variety of technical and administrative safeguards. These measures include the adoption of encryption and advanced malware detection systems, comprehensive overhauls of policies, issuance of internal email warnings, and the establishment of phishing threat reporting mechanisms. Moreover, hospitals have conducted thorough risk assessments, enhanced their security monitoring, and intensified training on security, HIPAA best practices, and phishing prevention. Key implementations are highlighted through specific instances:

“Upon discovery of the breach, the CE adopted new technical safeguards, revised its policies and procedures, and retrained its employees.”

“…in response to the breach, the BA strengthened its administrative and technical safeguards to better protect ePHI.”

“Additionally, the CE sent internal email users an email banner with additional warnings about emails that contain links and are from outside the organization and set up an internal phishing inbox for users to submit potential threats.”

“The CE expanded its data security monitoring, updated its security management policies, and provided additional training to staff.”

“In response to the breach, the CE implemented additional administrative and technical safeguards and retrained its staff.”

“In response to the breach, the CE provided the BA with training on HIPAA requirements to protect and secure ePHI.”

Based on these statements, a marked change has been observed towards enhancing security and increased awareness in the affected hospital.

3.5 Investigation and regulatory compliance

Ransomware attacks on healthcare institutions highlight the multifaceted nature of investigation and regulatory compliance. Each incident is investigated internally, often supplemented by third-party forensic analyses. The statements below highlight our finding:

“In response to the breach, the BA retained a third-party forensic investigator that identified the vulnerability, which allowed the breach to occur; the BA remediated this issue in its mitigation efforts to better secure its sensitive data.”

“The CE hired a third party to perform a forensic investigation, and the CE provided a complete copy of the investigative report to OCR.”

Regarding regulatory compliance, we found that the OCR frequently conducts compliance reviews. Examples include:

“During the investigation, OCR provided the CEs with technical assistance regarding the HIPAA Rules.”

“OCR obtained assurances that the CE implemented the corrective actions noted.”

3.6 Third-party involvement

The theme underscores the critical risk factor of the interconnected nature of healthcare systems due to the frequent involvement of business associates (BAs) in cybersecurity incidents. The dependency on BAs, such as billing companies, IT service providers, and EHR vendors, who often access sensitive hospital data, introduces significant third-party risk exposure. Two key subthemes highlight the multifaceted challenges:

3.6.1 Risk exposure

Healthcare delivery efficiency depends heavily on seamless collaboration between hospitals and their BAs. This interdependence, while crucial for operational efficiency, also poses heightened security risks, as breaches in BA systems can directly impact hospital operations. For example: The [CE] [name omitted] reported that its [BA] experienced a ransomware attack affecting the [ePHI] of approximately 3,320,726 individuals.

3.6.2 Direct impact

The consequences of ransomware attacks on BAs often extend to exposing sensitive patient data, requiring immediate and strategic responses to mitigate risks. For instance:

“The [CE] [name omitted] Healthcare Corporation reported that its [BA] was targeted in a ransomware attack that compromised the ePHI of 64,600 individuals, including sensitive information like names, addresses, and Social Security numbers.”

This theme provides a comprehensive understanding of the challenges hospitals face with interconnected digital environments.

3.7 Victim support services

A common response to ransomware incidents is to offer credit monitoring and identity protection services to affected individuals. Specific measurements include:

“In response to the breach, the [CE] implemented additional technical safeguards and provided complimentary credit monitoring services to affected individuals.”

“Complimentary credit monitoring services were provided to affected individuals. In response to the breach, the CE provided the BA with training on HIPAA requirements to protect and secure ePHI.”

These results may indicate a proactive stance by hospitals in addressing both the immediate and extended risks associated with ransomware incidents, focusing on support for victims.