A new study finds ransomware is now the leading cause of patient data breaches, exposing over 375 million health records since 2010.
Researchers from Michigan State University, Yale University, and Johns Hopkins University confirm what many in the healthcare sector have feared: Ransomware has become the dominant force behind healthcare data breaches. Published in JAMA Network Open, the study estimates that ransomware attacks have exposed or stolen the health data of at least 375 million individuals over the past 15 years, a number that continues to grow.
The study reveals a timeline of escalation. Though ransomware dates back to the 1980s, widespread attacks didn’t take off until around 2012. A sharp increase in healthcare-focused attacks began in 2016, followed by the rise of double extortion schemes in 2019, where hackers not only encrypted files but also threatened to release stolen data unless ransoms were paid.
By 2021, ransomware was responsible for one-third of all reported healthcare breaches. Although only 11% of breaches in 2024 were labeled as ransomware-related, these accounted for 69% of all compromised patient records. The Change Healthcare breach alone, initially believed to impact 100 million individuals, has now been updated to 190 million, bringing the study’s total to at least 375 million affected individuals across ransomware attacks.
Since 2010, hacking and IT incidents have increasingly overtaken other types of breaches. In 2010, only 4% of healthcare breaches were due to hacking. By 2017, that number had risen to 42%. Between 2010 and 2024, 88% of all affected individuals were victims of hacking-related incidents, with ransomware impacting nearly 40%.
“Ransomware has become the most disruptive force in health care cybersecurity,” said John (Xuefeng) Jiang, lead author of the study and Eli Broad Endowed Professor at Michigan State University. “Hospitals have been forced to delay care, shut down systems, and divert patients — all while sensitive patient data is held hostage.”
Ge Bai, professor of accounting and health policy at Johns Hopkins, stated the need for clearer reporting: “Whether it’s insiders making mistakes or criminal groups deploying ransomware, the effect on patients is the same: their most personal data is at risk.”
The researchers are calling for stronger breach disclosure requirements. They recommend that HIPAA-regulated entities be required to state explicitly whether ransomware was involved in a data breach and to report how care delivery was impacted, not just the number of affected individuals. They also suggest tracking cryptocurrency flows to disrupt ransom payments.
Healthcare systems often rely on outdated infrastructure and lack strong cybersecurity defenses, making them prime targets for attackers seeking quick payouts.
Double extortion is when attackers both encrypt a victim's data and threaten to leak it publicly unless a ransom is paid.
Providers can improve resilience by investing in modern IT systems, staff training, data backups, and endpoint detection tools.
Yes, many ransomware groups demand payment in cryptocurrency, which can be tracked through blockchain analysis, though tracing to individuals is complex.
Yes, federal agencies like HHS and CISA have issued guidance and support tools, and there are ongoing discussions about stronger breach disclosure laws.