The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021

Posted By on Mar 24, 2022

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021.

14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74.

The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology sectors.

Ransomware gangs use a variety of methods to gain access to victim networks; however, the most common attack vectors in 2021 were phishing emails, Remote Desktop Protocol (RDP) exploitation, and the exploitation of software vulnerabilities. While 2021 saw several major ransomware operations shut down, others have taken their place. IC3 anticipates 2022 will see an increase in ransomware attacks on critical infrastructure.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

IC3 said there was an unprecedented increase in cyberattacks and malicious cyber activity in 2021 targeting a wide range of business sectors and individuals. A record number of complaints were submitted to IC3 by the American public in 2021, increasing by 7% from 2020 to 847,376 complaints. Across those complaints there were reported losses of more than $6.9 billion – a 64.29% increase from the $4.2 billion in losses reported in 2020.

Losses to Cybercrime over the Past 5 Years. Source IC3

Phishing – including vishing, smishing, and harming – was the most prevalent type of cybercrime in 2021, with 323,972 complaints about phishing incidents reported to IC3 in 2021, up 34% from 2020. Nonpayment/non-delivery crimes were the second most reported incidents, which claimed 82,478 victims.

19,954 complaints were received about business email compromise (BEC)/email account compromise (EAC) scams in 2021, which ranked top for victim losses with adjusted losses of almost $2.4 billion in 2021 – a 28% increase from 2020. IC3 said BEC attacks have become much more sophisticated. While they used to involve compromised email accounts that were used to request W2 forms or fraudulent wire transfers, scammers have exploited the increased reliance on telework and virtual communications platforms.

A compromised email account of an employer or financial director is often used to request employees participate in virtual meeting platforms. “In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly,” explained IC3.

More than $44 million was lost to phishing scams in 2021, and the 3,729 reported ransomware attacks involved losses of at least $49 million. Losses to ransomware are difficult to determine. The $49 million does not include associated costs such as remediation, only reported ransom payments, and ransom payments are not always reported to IC3.

IC3 reported on the successes of its Recovery Asset Team (RAT) in freezing funds for victims of cybercrime. “In 2021, the IC3’s RAT initiated the Financial Fraud Kill Chain on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist