A new study led by researchers from Michigan State University, Yale University, and Johns Hopkins University has revealed that ransomware attacks are now the main driver of health care data breaches in the United States.
Over the past 15 years, these cyberattacks have exposed the personal information of 285 million patients, according to findings published in JAMA Network Open on May 14.
Ransomware is a type of cyberattack where hackers lock a victim’s digital files by encrypting them and demand a ransom to restore access.
In the health care sector, this means sensitive patient information is held hostage, forcing hospitals to delay treatments, shut down systems, and even divert patients to other facilities.
John (Xuefeng) Jiang, a professor at Michigan State University and the study’s lead author, called ransomware “the most disruptive force in health care cybersecurity.”
The study is the first comprehensive analysis of ransomware’s impact on health care breaches across hospitals, physician practices, health plans, and data clearinghouses, spanning from 2010 to 2024.
The findings show that while ransomware accounted for just 11% of all health care breaches in 2024, those attacks were responsible for 69% of all patient records compromised that year.
Over the past 15 years, ransomware has played a role in exposing 285 million patient records, and many individuals may have been affected more than once.
Researchers also discovered that ransomware breaches in health care have skyrocketed. In 2010, there were no recorded ransomware attacks.
By 2021, that number had grown to 222, representing nearly one-third of all major health care breaches that year.
The broader category of hacking-related breaches, which includes ransomware, grew from just 4% of health care breaches in 2010 to a staggering 81% in 2024. In total, 732 million patient records were exposed between 2010 and 2024, with 88% of those linked to hacking incidents.
The study’s authors, including Joseph Ross from Yale School of Medicine and Ge Bai from Johns Hopkins University, suggest that the actual number of ransomware attacks may be even higher.
They note that many health care providers hesitate to report incidents, especially when ransom payments are involved, and smaller breaches affecting fewer than 500 people are often excluded from public reporting.
Ross highlighted the vulnerability of digital health infrastructure, emphasizing that ransomware attacks not only breach privacy but also disrupt patient care, damage trust, and force medical staff to spend time and resources on recovery efforts instead of patient care.
The study builds on previous research by the team, which showed that internal mistakes—like misdirected emails or lost devices—were once the leading cause of health care data breaches.
In 2019, the researchers found that more than 70% of breaches involved sensitive demographic or financial data, such as Social Security numbers and bank account information, which could lead to identity theft or fraud. Surprisingly, breaches involving medical information, such as mental health or cancer diagnoses, were less frequent.
To reduce the risk of future attacks, the researchers recommend stronger government regulations. They suggest that hospitals and insurers should be required to report when ransomware is involved, and assessments of breach severity should also consider the impact on patient care, not just the number of records stolen.
They also propose monitoring cryptocurrency flows to make it harder for hackers to collect ransom payments.
Jiang emphasized that health care providers often have limited cybersecurity budgets, making it critical to protect the most sensitive information.
“The solutions are within reach,” he said, adding that what is needed now is better coordination, transparency, and urgency to protect patient data.
Source: Michigan State University.
