A study by Jama Network found that between 2016 and 2021, there were 374 ransomware attacks against hospitals, clinics, and healthcare delivery companies in the US.
These attacks exposed the personal health information (PHI) of 42 million Americans, an 11x increase from 1.3 million in 2016 to over 16.5 million in 2021. The annual number of ransomware attacks also rose to 91 from 43 during this period.
Of the 374 attacks, 22.5% lacked details on PHI exposure because they were not included in the Health and Human Services Office for Civil Rights (HHS OCR) database.
Additionally, 54.3% of the attacks were reported outside of the legislative reporting window of 60 days after the attack, and 15.8% of attacks had evidence that the threat actors had made some or all of the stolen PHI public on the dark web.
Approximately 53% of all ransomware attacks impacted multiple facilities within the victim healthcare organizations, leading to operational disruptions such as ambulance diversions, canceled surgeries and appointments, and electronic system downtime.
The study emphasized the importance of implementing strong cybersecurity measures to protect sensitive data and patients from abuse by threat actors.