Healthcare organizations are on the front lines when it comes to cyber threats. Extortion-only attacks are a growing risk that can’t be ignored. These attacks typically arrive through email, the number one entry point for healthcare data breaches. During these attacks, malicious actors threaten to expose sensitive patient data or disrupt systems unless a ransom is paid.
Email is the backbone of internal and external communication, and it’s often used to share everything from appointment reminders to lab results and even sensitive billing information. If attackers gain access, they can lock down systems, exfiltrate data, or simply threaten to release what they’ve already stolen. The mere threat of a breach can trigger regulatory investigations, lawsuits, and loss of patient trust.
According to the BMJ Health & Care Informatics study ‘Phishing in healthcare organisations: threats, mitigation and approaches’ the threat is exacerbated by the high volume of email traffic in healthcare settings, with studies showing that 2%–3% of all email and internet traffic to healthcare organizations is considered suspicious, representing hundreds of thousands of potentially dangerous communications annually.
Extortion-only attacks don’t always involve sophisticated malware; sometimes, they rely entirely on the psychological pressure of a credible threat, leveraging information from previous breaches or public sources to make their demands more convincing. Healthcare organizations are uniquely vulnerable because they hold vast amounts of valuable data and are under constant pressure to maintain operations.
Attackers know that downtime can be detrimental, making healthcare providers more likely to pay up quickly. HIPAA and its requirements require the security of protected health information (PHI). It means that even the perception of a breach can trigger mandatory reporting and fines.
According to an International Cybersecurity Law Review study analyzing cybersecurity in legislation, “One of the disadvantages brought by the rapid digitalization during the Fourth Industrial Revolution (4IR) was an increase in various cyber-attacks and offences such as cyber fraud, extortion.”
Attacks often involve a message claiming the sender has accessed sensitive information or compromised systems and will release or misuse this data unless a ransom is paid. Unlike broader cyberattacks that might involve data theft or network disruption as a primary goal, extortion-only attacks are laser-focused on coercion and psychological manipulation. The attacker might reference real data, like a password or email address from a previous breach, to make the threat more believable.
Sometimes, the message is entirely a bluff, but the fear of regulatory fines, reputational damage, and patient distress is often enough to prompt a response. These attacks are particularly problematic in healthcare, where the sensitivity of patient data and the nature of services make organizations more likely to comply with demands. The anonymity of cryptocurrency payments makes it easy for attackers to collect ransoms and disappear, while the low barrier to entry means that anyone can send a threatening email.
Healthcare organizations face many cyber threats, and email remains the most common attack vector. Phishing is one of the main attack strategies on the list. A Security Journal study, ‘Prevention and mitigation measures against phishing emails,’ provides the true nature of phishing attacks. “A recent alert from the FBI (2021b)... highlighted an increase in ransomware attacks on educational institutions, initiated by compromising Remote Desktop Protocol (RDP) credentials or phishing emails. Over one-quarter of organizations infected with ransomware in 2020 paid the ransom; of these, 60% regained access... whereas 32% had to pay an additional ransom,” the study stated.
These emails can be generic or highly targeted (spear phishing), and they often mimic trusted contacts or familiar brands. Ransomware is another major threat, usually delivered via email attachments or links.
Once inside, ransomware can encrypt files or entire systems, with attackers demanding payment to restore access. Business Email Compromise (BEC) is a growing concern, where attackers impersonate executives or vendors to trick employees into transferring funds or revealing confidential data. Clone phishing, where a legitimate email is copied and modified with malicious content, is also on the rise.
Beyond these, healthcare organizations must watch for malware-laden attachments, credential harvesting schemes, and social engineering tactics that exploit human error. The high volume of daily email traffic, combined with the pressure of fast-paced clinical environments, makes it easy for even well-trained staff to make mistakes.
PHI is among the most valuable types of data on the black market, with records fetching anywhere from $10 to $1,000 per record, depending on their completeness and the types of information included. This value is driven by the potential for identity theft, insurance fraud, and other forms of financial crime.
Beyond the monetary value of the data, healthcare organizations provide time-sensitive services, meaning that any disruption can have immediate consequences for patients. This operational pressure increases the likelihood that organizations will comply with ransom demands in order to restore services quickly.
One way in which these attacks are executed is discussed in the above-mentioned BMJ study, “Employee email addresses identifiable from publicly available scraped data were targeted to accept ‘friend requests’ from a ‘fake’ account specifically used for this study.” The attack begins with the crafting of a persuasive email, often personalized with information about the recipient to increase the credibility of the threat.
The email is sent from a spoofed or compromised address to further enhance its legitimacy and bypass basic email filters. The message contains a clear threat, such as the release of sensitive information, public embarrassment, or harm to the recipient or their associates, unless a specified demand, usually a financial payment in cryptocurrency, is met within a set timeframe. In some cases, the attacker may claim to have access to compromising data or control over the recipient’s computer, as evidenced by the inclusion of a known password or reference to specific files.
The use of fear, urgency, and authority is central to the effectiveness of these attacks, as recipients are pressured to act quickly and discreetly to avoid the threatened consequences. Unlike multi-stage attacks that involve malware deployment or data exfiltration, extortion-only attacks may rely solely on the threat itself, leveraging information obtained from previous breaches or public sources to make the threat appear credible.
The attacker typically provides instructions for payment, often specifying Bitcoin or another cryptocurrency to ensure anonymity and reduce the risk of tracing the transaction. The communication may also warn against contacting law enforcement or IT support, further isolating the victim and increasing the perceived risk of non-compliance. In some cases, the attack may be part of a broader campaign, with similar messages sent to multiple individuals within an organization to increase the chances of success.
Standard email services like Google Workspace or Microsoft 365 offer some security features, but they aren’t designed specifically for the unique needs of healthcare. That’s where HIPAA compliant email solutions like Paubox come in.
These platforms are built from the ground up to meet the strict requirements of HIPAA, including encryption for every email, both in transit and at rest. With Paubox, encryption is automatic and seamless; there’s no need for portals, extra passwords, or special steps.
Ransomware is a type of malware that infects a system and encrypts files or locks users out, demanding payment (usually in cryptocurrency) to restore access.
A DDoS attack floods a network or website with excessive traffic from multiple sources, overwhelming systems and making them unavailable to legitimate users. In healthcare, DDoS attacks can disrupt access to systems, affecting patient care and operational continuity.
Insider threats occur when employees, contractors, or other trusted individuals misuse their access to healthcare systems to steal data, introduce malware, or cause disruptions.