Healthcare organizations reported $5.6 billion in losses from ransomware attacks in 2024, a 45 percent increase from the previous year, according to federal data released Thursday by the Department of Health and Human Services.
The report documents 387 major cybersecurity incidents affecting more than 500 individuals each, the threshold requiring federal notification under HIPAA regulations. Ransomware accounted for 68 percent of reported incidents.
Patient Impact
Cyberattacks disrupted care at 162 hospitals in 2024, forcing emergency room closures, ambulance diversions, and delays in critical procedures. More than 47 million patient records were compromised, according to HHS data.
"These attacks are no longer just data breaches—they are patient safety incidents," said Andrea Palm, HHS deputy secretary. "When hospitals cannot access medical records or imaging systems, patient lives are at risk."
Three hospitals reported patient deaths potentially linked to ransomware-related care disruptions, according to voluntary incident reports submitted to HHS. Federal investigators are reviewing those cases.
Attack Patterns
Most attacks exploited unpatched vulnerabilities in remote access systems and targeted backup infrastructure to prevent recovery. The average ransom demand reached $1.3 million, with some attackers demanding more than $10 million from large health systems.
Rural and critical access hospitals accounted for 42 percent of victims despite representing just 30 percent of U.S. hospitals. These facilities typically have smaller IT security budgets and limited technical staff.
Federal Response
HHS announced $300 million in grants to help hospitals improve cybersecurity defenses and recover from attacks. The agency also proposed new minimum cybersecurity standards for hospitals receiving Medicare and Medicaid funding.
The proposed rules would require hospitals to implement multi-factor authentication, network segmentation, and encryption within 24 months. Public comment on the proposed requirements closes February 28.
Industry groups including the American Hospital Association warned that compliance costs could burden already struggling rural hospitals. HHS officials said the rules include flexibility for small and resource-constrained facilities.