Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021

Key Points Question How frequently do health care delivery organizations experience ransomware attacks, and how have the characteristics of ransomware attacks changed over time? Findings In this cohort study of 374 ransomware attacks, the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients. During the study period, ransomware attacks exposed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities. Meaning The study results suggest that ransomware attacks on health care delivery organizations are increasing in frequency and sophistication; disruptions to care during ransomware attacks may threaten patient safety and outcomes.


eAPPENDIX: Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Service Process for Identifying Data Breaches that were Ransomware Attacks
To determine whether each healthcare provider data breach was specifically a ransomware attack, we searched supplemental sources, including press releases issued by the attacked organization, public disclosures (i.e., posted copies of form letters sent to patients whose PHI was exposed during the attack), local and national news reports, and healthcare trade press coverage. Data breaches were deemed ransomware attacks if sources included mention of the following keywords: • "Ransomware" • "Malware" AND "ransom" OR "payment" OR "payment demand" OR "extort%" • "Cyberattack" AND "ransom" OR "payment" OR "payment demand" OR "extort%" When supplemental sources mentioned malware or a cyberattack without explicitly referencing a payment demand or extortion attempt, the breach was not categorized as a ransomware attack. We further classified a data breach as ransomware if the HHS OCR Data Breach Portal archived database explicitly called the breach a "ransomware" attack in the Web_Description variable. This conservative approach was designed to minimize false positives and likely results in an undercount of true ransomware attacks on healthcare providers.

Process for Quantifying Characteristics of Ransomware Attacks
Beyond demonstrating the increasing frequency of ransomware attacks on healthcare providers, we also quantified the growing sophistication of those attacks. To measure changes in the characteristics of ransomware attacks, we focused on four categories: public reporting of attacks (i.e., number of individuals whose PHE was exposed, whether an attack was reported to HHS, and whether that attack was reported within the legislated 60-day window)), status of encrypted/stolen data (i.e., whether data were restored from backup, whether stolen PHI was made public in whole or part), provider type affected, and operational disruptions (i.e., whether care delivery was disrupted during the ransomware eTable 1. Data Sources and Methodology for Ransomware Attack Characteristics

Public Reporting
Individuals whose PHI was exposed, mean For ransomware attacks with news coverage (or press release disclosure) of when disruptions ended (i.e., when electronic systems were restored), we calculated the number of days elapsed between discovery of the ransomware attack and restoration of functionality. If/when a time range was reported (e.g., two to three weeks), we conservatively chose the shortest reported duration, to avoid overestimating the duration of operational interruptions.

Type of disruption
Press releases, public disclosures, and news coverage Operational disruptions were classified into one of three categories: (1) ambulance diversion: a hospital's decision to invoke diversion status, resulting in ambulances being re-directed to other facilities; (2) delays/cancellations in scheduled care; and (3) downtime for electronic systems involved in providing care (e.g., electronic health records, patient scheduling and communication platforms). Additional detail on specific search terms contained in Table  S2.
Since the measurement of many attack characteristics involved identifying the presence of specific words or text strings within press releases, public disclosure letters, and news coverage, we additionally list search terms relevant to each attack characteristic:

Process for Matching THREAT Attacks to the HHS OCR Breach Portal Database
The HHS OCR Breach Portal Database includes all data breaches that impacted more than 500 individuals. We searched the Breach Portal for the name of each facility in the THREAT database. If an entry matched the name, state, and rough timeline of an attack, it was considered a "match". If no corresponding report was found, we examined all reported breaches in the same state and within 60 days of the attack. If any data breaches appeared similar or were filed under names associated with the attacked facility (i.e., name of larger health system, or a "doing-business-as" (or DBA) alias) they were deemed a match. This process may have missed matches because many providers report attacks after the 60-day deadline. In addition, we searched the HHS OCR database for breach descriptions that included the word "ransomware". Any breach reports that represented ransomware attacks not present in the THREAT database were added and matched to the corresponding HHS breach report.

Reporting of Sources for Ransomware Attacks
Without publishing the full THREAT database here (please contact the corresponding author if interested in access), we provide additional detail in Table S3 on overlap in coverage between our sources of information (i.e., HackNotice data, the HHS OCR Data Breach Portal database, and press releases/public disclosures/news coverage). Table S4 includes the count of ransomware attacks for which each source provided information. Please note that this count is not mutually exclusive; rather, the count of >1000 attack sources indicates that the vast majority of our 371 ransomware attacks had multiple sources of information. Odds ratios (OR) are calculated from logistic regression models estimating the association between binary attack characteristic and year of attack (measured continuously). Incident rate ratios (IRR) are calculated from negative binomial regression models estimating the association between count-variable attack characteristic and year of attack (measured continuously). Abbreviations: PHI, personal health information; OR, odds ratio; IRR, incidence rate ratio; HHS OCR, Department of Health and Human Services' Office of Civil Rights; EHR, electronic health record.