In the past two years, a troubling number of ransomware attacks on healthcare organizations have affected more than 6.6 million people and cost systems millions of dollars.
A study by comparitech found Texas had the second-most number of healthcare ransomware attacks in 2016-2019.
During a ransomware attack, hackers break into an electronic database and hold the information hostage until an amount of money is paid.
The U.S. Department of Health Services publishes breaches that affect more than 500 people, however, comparitech found many other breaches fall under the radar, but still have the possibility of causing disruptions in service.
The study team went through several different healthcare resources and found Texas had 14 such ransomware incidents that affected 483,300 people and causing downtime costs of approximately $12.8 million – $19.6 million.
Across the United States, the study found 172 ransomware attacks that affected 1,446 hospitals, clinics and other organizations.
About three-fourths of the attacks were on hospitals or clinics.
The amount of ransom demanded ranged between $1,600 and $14 million.
While hackers have demanded more than $16 million in ransoms since 2016, only about $640,000 has been paid to hackers.
The total cost of these attacks across the country is estimated to be about $157 million.
California had the most ransomware attacks since 2016, at 25 incidents. Texas had the second-most attacks at 14.
Looking at the number of people affected by such attacks, Michigan had the most patient records at risk at 1.1 million people during two attacks.
As a percentage of the state’s population affected, Texas ranked rather low at just 1.67 percent of the population affected by a ransomware attack.
The states and territory with the highest percentage of the population affected was Michigan (11 percent), Puerto Rico (16.36 percent), Delaware (9.87 percent) and Utah (9.98 percent.)
Rather than seeing a steady increase or decrease, the number of cybercrimes against healthcare systems seems to rise and fall in these four years.
In 2016, there were 36 ransomware attacks, 53 in 2017, 31 in 2018 and then rising again to 50 in 2019.
The difference could be the development of different types of ransomware used. In the United States, cybersecurity is often left up to the individual organizations. These kinds of attacks do not seem to be going away, which could place pressure on organizations to install more measures to secure patients’ data and avoid potential lawsuits due to such breaches.
Out of the 172 attacks nationwide, the amount of money demanded by hackers was only revealed in 16 of the cases. Of the $16.48 million demanded by hackers in these cases, $14 million was demanded of one Wisconsin-based information technology provider, Virtual Care Provider, Inc. This attack affected 11 nursing homes across the country, but the ransom was not paid.
Out of all the attacks, 21 organizations said they paid the ransom but only seven revealed how much they paid. In 66 attacks, the organization said they did not pay and in 85 cases it was unclear if the ransom was paid or not.
The amount of downtime a ransomware attacks causes can range from a few hours to weeks, even causing some healthcare organizations to close permanently.
In at least two cases, healthcare providers permanently closed because of ransomware attacks.
The average downtime because of a ransomware attack is just over 16 days.
The heavy cost of ransomware attacks is not just in the ransoms paid, but also in recovering data when the ransom is not paid.
Erie County Medical Center in New York did not pay a $30,000 ransom, but then spend nearly $10 million recovering from an April 2017 attack.
NEO Urology in Ohio, was attacked in June 2019, and paid a $75,000 ransom, but suffered losses of $30,000-$50,000 per day.
Hospitals and other health providers are often seen as easy targets to hackers and the concern continues to grow about these kinds of attacks.
“As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems,” the study reports.
Texas healthcare organizations affected by ransomware attacks in the past 24 months according to U.S. Dept. of Health and Human Services:
- MHMR Tarrant County
- Fondren Orthopedic Group L.L.P.
- Life Line Screening of America, Ltd.
- Baylor Miraca Genetics Laboratories, LLC d/b/a Baylor Genetics
- PediHEalth, PLLC, dba Children’s Choice Pediatrics
- Texas Family Psychology Associates, P.C.
- Texas Children’s Hospital
- RiverKids Pediatric Home Health
- Choice Cancer Care
- Outreach Health Service
- Evergreen Psychological Services
- Corpus Christi Tots & Teens Pediatrics
- Texas Health Harris Methodist Hospital Hurst-Euless-Bedford
- Texas Health Presbyterian Hospital Dallas
- Texas Health Harris Methodist Hospital Alliance
- Texas Health Presbyterian Hospital Denton
- Texas Health Harris Methodist Hospital Azle
- Texas Health Harris Methodist Hospital Cleburne
- Texas Health Harris Methodist Hospital Southwest Fort Worth
- Texas Health Presbyterian Hospital Rockwall
- Texas Health Harris Methodist Hospital Stephenville
- Texas Health Harris Methodist Southlake
- Texas Health Arlington Memorial
- Texas Health Presbyterian Hospital Plano
- Texas Health Harris Methodist Hospital Kaufman
- Texas Health Harris Methodist Hospital Fort Worth
- Texas Health Presbyterian Hospital Allen
- South Texas Dermatopathology Laboratory
- Berry Family Services
- Wilson County Memorial Hospital District dba Connally Memorial Medical Center
- Primary Medicine of Sherman, PA/Robert J. Hernandez MD
- Community Health Choice, Inc.
- Clinical Pathology Laboratories, Inc.
- Wise Health System
- Hunt Regional Medical Center
- Memorial Hermann Health System
- Inform Diagnostics, Inc.
- City of Georgetown Fire Department
- Cerpassrx, LLC
- Sunshine Family Dentistry
- Special Health Resources for Texas, Inc.
- Memorial Hermann Health System
- University Medical Center Physicians
- Kelsey Research Foundation
- Mid-Cities Home Medical Delivery Service, LLC
- Questcare Medical Services, PLLC
- Weslaco Regional Rehabilitation Hospital
- Metrocare Services
- Rainbow Dental Care PLLC
- Texas VSI, LLC
- Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital
- Dallas County Mental Health Mental Retardation Center. dba Metrocare Services
- FirstCare Health Plans
- Dr. Robert Carpenter
- Dr. Amy Woodruff
- J&J MEDICAL SERVICE NETWORK INC
- The University of Texas Health Science Center at Houston