US Ransomware Attacks

Ransomware attacks in the US cost the American healthcare sector over $77 billion in downtime alone between 2016 and October 2023. 

This is according to new research by Comparitech, which stated the 539 confirmed ransomware attacks over the last seven years in the US have impacted over 52 million patient records in 10,000 facilities. 

Comparitech estimate the cost of these attacks to be around $77.5 billion in downtime. 

While ransomware attacks have become more commonplace post-Covid and are destructive across all industries, the impact on healthcare in particular is catastrophic as it can cripple crucial systems and withhold the most sensitive patient data unless a fee is paid. 

The ransom itself varies from $1,600 to $10,000,000 for the safe return of information in the report. Out of the 160 cases where the medical organisations disclosed whether or not they had paid, hackers received payment in around a fifth of them (31). It's important to remember that organisations are more likely to disclose that they haven't paid than they have.

This makes it difficult to calculate just how much money is lost in these attacks to pay ransom demands, but the cost of downtime is a lot easier to see. 

  • OrthoVirginia was attacked by Ryuk ransomware in February 2021. The attackers demanded a colossal $10 million after an attack on their systems which OrthoVirginia refused to pay. OrthoVirginia reported that it took 18 months to recover from the attack.
  • Lehigh Valley Health Network refused to pay $5 million to the ALPHV/BlackCat ransomware group after a February 2023 breach.
  • Hackers demanded an extortionate ransom of $5 million from UF Health Central Florida in June 2021. UF Health Central Florida refused to comment on whether the ransom was paid or not but a data breach report was filed for 700,981 patients.
  • In April 2023, plastic surgeon, Gary Motykie, M.D., was hit with a $2.5 million ransom demand. When this wasn’t paid, the threat actor proceeded to publish data that included intimate images.

A selection of the biggest ransomware amounts demanded since 2016 in the US. Source: Comparitech

Downtime varies from minimal disruption all the way up to several months of recovery time. On average, medical organisations are downed for 14 days after an attack. 

Hacking groups Conti, Maze, Hive and Pysa are among the worst offenders, but LockBit have accounted for the most attacks by far this year.