Ransomware emerges as primary driver of healthcare data breaches
A comprehensive 15-year analysis reveals ransomware attacks have become the dominant force behind healthcare data breaches in the United States, compromising 285 million patient records and fundamentally reshaping the cybersecurity threat landscape for medical institutions in the US.
The healthcare sector faces an unprecedented cybersecurity crisis, with ransomware attacks now representing the single most destructive force threatening patient data security across the United States. Groundbreaking research published in JAMA Network Open on 14 May 2025 has unveiled the alarming extent to which these malicious cyber intrusions have infiltrated medical institutions, fundamentally transforming the data breach landscape over the past decade and a half.
The comprehensive study, led by researchers from Michigan State University, Yale University, and Johns Hopkins University, analysed 6,468 unique data breaches affecting more than 500 patient records each, reported to the US Department of Health and Human Services Office for Civil Rights between October 2009 and October 2024. Their findings paint a stark picture of healthcare’s vulnerability to sophisticated cyber threats.
Dramatic surge in cyber-enabled breaches
The research reveals a fundamental shift in how healthcare data becomes compromised. Hacking and information technology incidents have surged from representing merely 4% of all healthcare breaches in 2010 to dominating 81% of incidents by 2024. Within this category, ransomware attacks have emerged as the most devastating subset, despite representing only 11% of total breaches in 2024, these attacks were responsible for an extraordinary 69% of all patient records compromised that year.
“Ransomware has become the most disruptive force in health care cybersecurity,” said John (Xuefeng) Jiang, Eli Broad Endowed Professor of accounting and information systems in the MSU Broad College of Business and lead author of the study. “Hospitals have been forced to delay care, shut down systems and divert patients – all while sensitive patient data is held hostage.”
The scale of data exposure is staggering. Of the 732 million total patient records exposed between 2010 and 2024, an overwhelming 88% (643 million records) were linked to hacking-related incidents, with 39% (285 million) specifically attributable to ransomware attacks. These figures likely represent conservative estimates, as the researchers acknowledge potential underreporting due to reluctance to disclose ransom payments and the exclusion of smaller breaches affecting fewer than 500 individuals.
Evolution of the threat landscape
The temporal analysis reveals ransomware’s meteoric rise as a healthcare threat. Starting from zero documented cases in 2010, ransomware incidents escalated dramatically to peak at 222 attacks in 2021, representing nearly one-third of all major healthcare breaches that year. Whilst the absolute number of ransomware incidents decreased to 61 in 2024, their impact per incident has intensified significantly, with each attack affecting substantially more patient records.
The research team, including Joseph Ross, professor at the Yale School of Medicine, and Ge Bai, professor of accounting and health policy at Johns Hopkins University, emphasised the multifaceted impact of these attacks. “Ransomware attacks expose just how fragile our digital health infrastructure has become. Healthcare organisations operate under immense pressure, and ransomware attacks don’t just breach patient privacy – they disrupt service delivery, erode trust and lead to personnel spending time, effort and expense on activities that do not improve patient care,” said Ross.
Operational disruption beyond data theft
The study’s methodology involved meticulous analysis of breach descriptions to identify specific ransomware indicators, including ransom demands, cryptocurrency payments, system encryption, and involvement of known ransomware groups such as LockBit and BlackCat. This approach revealed that ransomware attacks represent a uniquely destructive category of cyber incident, combining data theft with operational paralysis.
The authors acknowledge a critical limitation in current breach assessment methodologies, noting in their discussion that measuring breach impact solely by the number of patient records affected may not fully reflect ransomware’s operational disruptions. This observation highlights the need for enhanced metrics that capture the full spectrum of ransomware’s impact on healthcare delivery.
Vulnerability of healthcare infrastructure
Healthcare organisations face particular vulnerability to ransomware attacks due to several converging factors. The researchers identified limited cybersecurity resources and the urgent need for system recovery to maintain patient care as key vulnerabilities that make medical institutions attractive targets for cybercriminals.
The February 2024 attack on Change Healthcare exemplifies this vulnerability, compromising the protected health information of 100 million individuals, disrupting care delivery nationwide, and incurring $2.4 billion in response costs. This incident alone demonstrates how a single successful attack can cascade through the entire healthcare ecosystem.
Regulatory and policy implications
Building on their previous research documenting healthcare data breach patterns, the team proposes several strategic interventions to mitigate future risks. Their recommendations include requiring hospitals and insurers to specifically report ransomware involvement in breaches, updating breach severity assessments to reflect operational disruption alongside record compromise, and monitoring cryptocurrency flows to disrupt ransom payment mechanisms.
“Health care providers have limited cybersecurity resources, so it’s essential to focus protection on the most sensitive types of information,” said Jiang. “The solutions are within reach – what we need now is coordination, transparency and urgency.”
The research team’s previous work revealed that over 70% of breaches compromised sensitive demographic or financial data, including Social Security numbers, birthdates, and bank accounts, creating substantial identity theft and financial fraud risks for affected patients.
Future directions for healthcare cybersecurity
The study’s findings underscore the urgent need for comprehensive cybersecurity reform across healthcare systems. As Bai noted: “Whether it’s insiders making mistakes or criminal groups deploying ransomware, the effect on patients is the same: their most personal data is at risk. By understanding what’s being targeted, we can help healthcare organisations strengthen their defences.”
The research reveals that traditional breach categories – theft, unauthorised access, and improper disposal – have steadily declined as cyber-enabled attacks have proliferated, suggesting a fundamental evolution in the threat landscape that requires correspondingly sophisticated defensive strategies.
This landmark study provides the first comprehensive analysis of ransomware’s role in healthcare breaches across all HIPAA-covered entities, establishing a crucial baseline for understanding and addressing one of healthcare’s most pressing contemporary challenges.
Reference
Jiang, J. X., Ross, J. S., & Bai, G. (2025). Ransomware attacks and data breaches in US health care systems. JAMA Network Open, 8(5), e2510180. https://doi.org/10.1001/jamanetworkopen.2025.10180
