Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021

Abstract

ImportanceAnecdotal evidence suggests that health care delivery organizations face a growing threat from ransomware attacks that are designed to disrupt care delivery and may consequently threaten patient outcomes.ObjectiveTo quantify the frequency and characteristics of ransomware attacks on health care delivery organizations.Design, Setting, and ParticipantsThis cohort study used data from the Tracking Healthcare Ransomware Events and Traits database to examine the number and characteristics of ransomware attacks on health care delivery organizations from 2016 to 2021. Logistic and negative binomial regression quantified changes over time in the characteristics of ransomware attacks that affected health care delivery organizations.Main Outcomes and MeasuresDate of ransomware attack, public reporting of ransomware attacks, personal health information (PHI) exposure, status of encrypted/stolen data following the attack, type of health care delivery organization affected, and operational disruption during the ransomware attack.ResultsFrom January 2016 to December 2021, 374 ransomware attacks on US health care delivery organizations exposed the PHI of nearly 42 million patients. From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91. Almost half (166 [44.4%]) of ransomware attacks disrupted the delivery of health care, with common disruptions including electronic system downtime (156 [41.7%]), cancellations of scheduled care (38 [10.2%]), and ambulance diversion (16 [4.3%]). From 2016 to 2021, ransomware attacks on health care delivery organizations increasingly affected large organizations with multiple facilities (annual marginal effect [ME], 0.08; 95% CI, 0.05-0.10; P < .001), exposed the PHI of more patients (ME, 66 385.8; 95% CI, 3400.5-129 371.2; P = .04), were less likely to be restored from data backups (ME, −0.04; 95% CI, −0.06 to −0.01; P = .002), were more likely to exceed mandatory reporting timelines (ME, 0.06; 95% CI, 0.03-0.08; P < .001), and increasingly were associated with delays or cancellations of scheduled care (ME, 0.02; 95% CI, 0-0.05; P = .02).Conclusions and RelevanceThis cohort study of ransomware attacks documented growth in their frequency and sophistication. Ransomware attacks disrupt care delivery and jeopardize information integrity. Current monitoring/reporting efforts provide limited information and could be expanded to potentially yield a more complete view of how this growing form of cybercrime affects the delivery of health care.