The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

290 Hospitals Potentially Affected by Ransomware Attacks in 2022

Posted By on Jan 3, 2023

Ransomware attacks continue to be conducted on healthcare organizations in high numbers but determining the extent to which healthcare organizations are being targeted by ransomware gangs is a challenge. Victims of ransomware attacks do not always report the incidents as involving ransomware, and ransomware gangs do not publicly disclose attacks when ransoms are paid.

The nature of the attacks conducted by ransomware gangs is also changing, with some ransomware gangs opting to conduct extortion-only attacks, where sensitive data is exfiltrated from networks and a ransom demand is issued to prevent its publication or sale, but malware is not used to encrypt files. The decision whether or not to encrypt appears to be taken on an attack-by-attack basis.

The cybersecurity firm Emsisoft tracks ransomware attacks and produces annual reports that provide insights into the extent to which ransomware is used in cyberattacks, but Emsisoft admits that it is difficult to produce reliable statistics. This year’s report shows more than 200 large organizations in the United States have been attacked in the government, education, and healthcare verticals. Attacks in the education sector have remained fairly consistent over the past 4 years with between 84 and 89 attacks conducted each year, as has the number of attacks on state and local governments – 105 in 2022 with an average of 102 attacks a year.

Compiling meaningful data on attacks on healthcare organizations has been particularly challenging as while there are reporting requirements under HIPAA, it is not necessary to disclose the exact nature of the attacks or release details. For this reason, and due to the volume of reports, for the 2022 report, Emsisoft did not compile data for healthcare organizations and instead focused on hospitals and multi-hospital health systems.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

For the report, Emsisoft’s researchers compiled data from public breach notices, reports, dark web data leak sites, and from third-party intelligence, with its data confirming that at least 105 counties, 45 school districts, 44 universities, and 25 healthcare providers suffered ransomware attacks in 2022. The true figure is likely to be significantly higher due to the lack of detailed reporting.

Across all ransomware attacks and verticals, hackers stole data prior to using encryption in around half of the attacks, but data theft was much more common in ransomware attacks on hospitals. Out of the 24 confirmed attacks on hospitals, data theft occurred in 17 of those attacks (68%). Due to the lack of accurate data released by healthcare organizations and their business associates, it is not possible to definitively determine whether ransomware attacks have plateaued, are increasing, or declining. What is clear is that the healthcare sector continues to be targeted and a great many patients have been affected by the attacks.

Several of the attacks were conducted on multi-hospital health systems, with 290 hospitals across the country potentially affected by the attacks. That includes the 150 hospitals operated by CommonSpirit Health, which recently confirmed that the protected health information of 623,774 patients was compromised in the attack. CommonSpirit Health has recently confirmed that only a small number of the hospitals it operates were affected.

These attacks often result in the theft of patient data, which can negatively affect patients and put them at risk of identity theft and fraud, but the most serious consequences are to patient health. Studies have been conducted that indicate an increase in mortality following a ransomware attack and a negative impact on patient outcomes due to delays in receiving test results, postponed appointments, and canceled surgeries. While no deaths have been attributed to ransomware attacks, patient outcomes are affected by the delays in receiving treatment. Emsisoft draws attention to one attack that resulted in a computer system used for calculating medication doses being taken offline, which caused a 3-year-old patient to be given a massive overdose of pain medication.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist