Report: Healthcare ransomware compromises millions of patient records, costs billions in downtime

Editor's Note

Between 2018 and 2024, ransomware attacks on US healthcare organizations compromised nearly 89 million patient records and resulted in downtime costing an estimated total of $21.9 billion, according to a December 18 report from Comparitech.

The report tallies 654 total ransomware incidents during this period targeting hospitals, clinics, and other patient-facing entities. The financial impact of downtime averaged $1.9 million per day per organization, with recovery periods lasting over 17 days on average.

The frequency of attacks has escalated sharply, peaking in 2023 with 143 incidents—the highest recorded—compared to 84 in 2022. The number of compromised patient records also spiked, Comparitech reports, with over 26 million breached in 2023, surpassing the 22.7 million breached in 2021. Despite slightly fewer attacks reported in 2024 (118 so far), the trend suggests a continued high risk for healthcare providers.

Key examples include Ascension’s 2024 attack, disrupting services across its 140 hospitals, resulting in projected costs between $1.1 and $1.6 billion. Similarly, CommonSpirit Health experienced a $160 million loss following a 2022 attack that disabled electronic health records for over a month. Other costly incidents include Scripps Health in 2021 ($112.7 million) and Universal Health Services in 2020 ($67 million).

Hackers’ ransom demands ranged from $4,000 to $10 million, with average demands increasing significantly over time. In 2024, the average ransom was $1.06 million, down slightly from $1.24 million in 2023 but still far higher than earlier years. Not all demands were met, but recovery costs remained substantial due to operational downtime, delayed patient care, and data restoration expenses.

The full report offers additional context on all these findings, as well as information on the location of the attacks, the nature of the attackers, and more.