Healthcare reports ransomware breaches fastest—but still too slow

New data shows that US healthcare leads all sectors in ransomware breach reporting speed, yet it still falls short of federal timelines.

What happened

New analysis from Comparitech reveals that US healthcare organizations take an average of 3.7 months to report ransomware-related data breaches, faster than any other industry. While this makes healthcare the most responsive sector in the study, the overall average across all industries in 2023 was significantly higher, at 5.1 months. Comparitech’s study looked at 2,600 ransomware attacks in the US since 2018.

Although 3.7 months is the shortest industry average, it's still well beyond HIPAA’s 60-day disclosure requirement. And in some extreme cases, the delays have spanned years.

Going deeper

One of the most delayed breach disclosures came from Ventura Orthopedics, which experienced a ransomware attack in July 2020 but didn’t send out notification letters until September 2023, 38 months later. Another example, Westend Dental, took two full years to notify victims, leading to a $350,000 penalty.

Even with such outliers, healthcare generally reports faster than other sectors. The legal industry had the slowest average reporting time at 6.4 months. Non-provider healthcare businesses reported slightly faster (3.4 months), and the utility sector trailed closely behind at 3.3 months.

State laws also played a role. States with stricter data breach notification laws saw slightly faster reporting (average 3.9 months) than those without (4.2 months). The fastest states were Montana (1.9 months), South Dakota (2.2), and Alaska (2.3). The slowest: Wyoming (7.3), D.C. (6.6), and North Dakota (6.3).

What was said

Under HIPAA, covered entities must notify HHS and affected individuals within 60 days of discovering a breach. If the number of affected individuals is unknown, organizations must still report it using an estimate (typically 500 or 501), which triggers public disclosure on the HHS breach portal.

Comparitech’s findings prove how many healthcare organizations fail to meet this federal standard, risking penalties and leaving patients vulnerable. Experts stated the necessity of early disclosure, even if data theft isn’t confirmed, so that affected individuals can take proactive steps to protect themselves.

FAQs

Why does faster breach reporting matter in ransomware cases?

Early reporting allows affected individuals to take immediate action to protect themselves from identity theft, fraud, and misuse of their personal data.

What happens if a healthcare provider misses the 60-day HIPAA reporting deadline?

They may face regulatory investigations, financial penalties, and public listing on the HHS breach portal, which can damage reputation and trust.

Are ransomware attacks always considered data breaches under HIPAA?

Not necessarily, only if protected health information (PHI) is accessed, stolen, or compromised. However, many ransomware incidents do involve data exfiltration.

What are “double extortion” tactics in ransomware attacks?

Attackers encrypt data, steal it, and threaten to leak or sell it unless a ransom is paid, increasing pressure on victims to comply.

How can organizations improve their breach response times?

By implementing clear incident response plans, training staff, automating detection systems, and ensuring legal and compliance teams are involved early in the process.