Ex-FBI cyber chief pushes homicide charges for ransomware-linked deaths

A former FBI cyber division leader told a House subcommittee that ransomware attacks on hospitals have killed hundreds of patients and that existing homicide law already provides a path to charging the perpetrators.

What happened

Cynthia Kaiser, former deputy assistant director of the FBI's cyber division, testified before a US House of Representatives subcommittee on April 21, 2026, urging federal prosecutors to pursue felony murder charges against ransomware operators whose attacks on healthcare facilities result in patient deaths. According to The Register, Kaiser cited a University of Minnesota study documenting at least 47 deaths attributable to hospital ransomware attacks between 2016 and 2021, and estimated the current death toll is "almost certainly in the hundreds today." Kaiser also called on the State, Justice, and Treasury departments to assess terrorism designations for ransomware actors who knowingly and repeatedly target hospitals, and urged Congress to fully fund and reauthorize the State and Local Cybersecurity Grant Program.

Going deeper

Kaiser's homicide argument rests on the felony murder doctrine, which does not require that a defendant directly cause a death, only that they commit a dangerous felony from which a death results. Her testimony identified three existing legal authorities she urged the federal government to deploy against healthcare ransomware operators without requiring new legislation. Separately, Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology, warned lawmakers that CISA's Pre-Ransomware Notification program has effectively ceased to operate following the departure of David Stern, the single employee who ran it. Stern sent pre-ransomware notifications to more than 4,300 organizations between late 2022 and late 2025, giving targeted organizations a warning of imminent attacks and working with them to mitigate the risk before ransomware was deployed. The program is estimated to have prevented approximately $9 billion in economic losses over that period. CISA lost close to 1,000 staff members and significant funding in early 2026, and the Trump administration's 2027 budget proposal would cut an additional $707 million from the agency.

What was said

Kaiser told lawmakers in written testimony shared with The Register that "the gap between the severity of these crimes and the consequences that follow needs to close," and that "felony murder law does not require that a defendant pull the trigger, only that they commit a dangerous felony that results in death." She added that cutting state and local cybersecurity funding "would be a gift to ransomware criminals." Representative James Walkinshaw (D-VA) stated that "ransomware is occurring today because this administration drove out the expert, the federal employee, who was helping to prevent it to the tune of $9 billion. We are shooting ourselves in the foot." Stifel described the Pre-Ransomware Notification program as "a really critical program that currently is not operating."

In the know

The hearing came as the administration's approach to federal cybersecurity staffing drew direct criticism from multiple witnesses. Stifel told lawmakers that while the national security threat posed by ransomware had decreased since the Ransomware Task Force launched in 2021, cuts to the federal workforce and funding have created "material setbacks" in implementing the task force's recommendations for the first time since its founding. The Cybersecurity Information Sharing Act of 2015, which underpins federal and private sector threat intelligence sharing, is set to expire again on September 30, 2026, and Stifel called on Congress to pass a long-term or permanent reauthorization before that deadline.

The big picture

Kaiser's testimony draws a direct legal line between ransomware attacks on hospitals and patient deaths, a connection that healthcare IT and compliance leaders have tracked in operational terms for years. According to Paubox's 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264 percent since 2018, and the FBI's 2025 Internet Crime Report named healthcare the most targeted critical infrastructure sector for the second consecutive year. The shutdown of CISA's Pre-Ransomware Notification program removes one of the few mechanisms that gave healthcare organizations a warning before an attack was completed, shifting the entire burden of early detection back to individual organizations without the federal visibility that made the program effective.

FAQs

What is the felony murder doctrine, and how would it apply to ransomware operators?

Felony murder holds that a person who commits a dangerous felony is legally responsible for any death that results, even without intent to kill. Applied to ransomware, it would mean that operators who encrypt hospital systems, causing equipment failures or care delays that result in patient deaths, could face homicide charges under existing law without prosecutors needing to prove deliberate intent to kill.

What did CISA's Pre-Ransomware Notification program do?

The program received early warning signals from industry partners about imminent ransomware threats and contacted organizations that were either already compromised or known to be targeted, giving them time to take protective action before ransomware was deployed. One employee ran the program and sent notifications to more than 4,300 organizations over three years.

What happens to healthcare organizations now that the program is not operating?

Organizations that previously received warnings through the program no longer have that federal early-warning channel. Detection now depends entirely on the organization's own monitoring capabilities and whatever threat intelligence their security vendors provide, without the benefit of CISA's visibility across the broader threat landscape.

What is the Cybersecurity Information Sharing Act, and why does its expiration matter?

The 2015 act created legal protections for private sector organizations that share threat intelligence with federal agencies and with each other. Without reauthorization, those legal protections lapse, reducing the incentive for organizations to share indicators of compromise and attack patterns that help the broader sector defend against ransomware.

What is a terror designation, and what effect would it have on ransomware groups?

A terrorism designation by the State Department triggers asset freezes, travel bans, and criminal penalties for anyone who provides material support to the designated group. Applied to ransomware operators, it would make ransom payments legally complicated for victims, expand the range of charges prosecutors can bring, and enable sanctions-based financial pressure against operators and their infrastructure.