by John R. Fischer
, Senior Reporter | February 18, 2020
The ramifications of more than 170 ransomware attacks since 2016 have cost U.S. healthcare organizations an estimated combined total of more than $157 million.
That’s what researchers at online services firm Comparitech say in their new assessment, adding that a lack of transparency concerning when such attacks happen and the impact they have, has led the group to believe that their figures “only scratch the surface” of the true costs incurred.
“I'm not sure why they don't always specify the type of ransomware,” Paul Bischoff, editor of Comparitech, told HCB News. “It could be that they do not know or don't wish to reveal details that could help future attackers. If a hospital pays a ransom, revealing that fact could make it a bigger target for future attacks … in the long-term, a lack of information leads to less intelligence that researchers, policy makers, and cybersecurity experts could use to gauge the severity and scope of ransomware.”
A total of 172 individual ransomware attacks have hit U.S. healthcare organizations since 2016, affecting 1,446 hospitals, clinics, and organizations, and 6,649,713 patients. This, however, does not take into account many breaches that affect less than 500 people, as such incidents are rarely disclosed to the public.
Another variable often not disclosed is the financial compensation requested by hackers, with demands from $1,600 to $14 million. Hackers have made at least $640,000 since 2016 out of the $16.48 million demanded in total in 16 of 172 attacks. Like the number of attacks mentioned above, these figures only refer to cases that disclose such information, with Comparitech reporting that 21 organizations admitted that they had paid and only seven revealed how much they paid.
Relying on specialist IT news, data breach reports, and the Health Services reporting tool, the researchers determined as close as possible the number of ransomware attacks that hit U.S. healthcare providers and applied their findings from studies on the costs of downtime to estimate a likely cost range for ransomware attacks on healthcare organizations.
California incurred the highest, hit by 14.5 percent of attacks since 2016. Texas took the second highest, receiving the brunt of 14 attacks. Maine, Montana, New Mexico, North Dakota and Vermont were not recorded as having any.
Incurring more attacks than another region, however, does not necessarily equate to a worse impact. For instance, Michigan had the highest number of patient records at risk, with almost 1.1 million people affected by two ransomware attacks, compared to 753,000 exposed in California. The Michigan attacks, it should be noted, affected clientele of Airway Oxygen, a medical supply company, and Wolverine Solutions Group, a medical billing company, meaning that some individuals affected live in different states.