The human impact of cyberattacks

An Internal Meta-Analysis on Cyberattacks, Psychological Distress, and Military Escalation overturns “a widely accepted view that cyberattacks are a mere irritant at best and a threat to information security at worst.”

The study argues that “assessing cyber-threats through the prism of physical destruction has obscured the human dimension of the threat.”

Instead, the findings suggest that cyberattacks can cause serious psychological harm. In some cases, this harm can help determine whether an attack is severe enough to count as an armed attack under international law.

Cyberattacks are typically evaluated based on visible outcomes such as downtime, data loss, or ransom payments. However, these metrics don’t encapsulate the emotional and psychological consequences the victims face.

For example, “even seemingly inconsequential cyberattacks can levy tremendous damage by traumatizing civilians, undermining societal cohesion, and exacerbating cycles of violence.”

In healthcare, this can result in patients losing confidence in their providers, staff feeling overwhelmed, and institutions struggling to maintain trust.

Psychological distress in this context includes acute anxiety, heightened threat perception, and prolonged emotional strain. These reactions also influence decision-making, health behaviors, and trust in medical systems.

Read also: How HIPAA compliance improves patient trust

Vulnerability in healthcare systems

Healthcare organizations are major targets for cyberattacks since they rely on digital systems to handle patients’ protected health information (PHI). Digital systems, like electronic health records, diagnostic tools, and communication platforms, are often interconnected. Therefore, a vulnerability in one system could affect multiple parts of the system at once.

In addition, healthcare systems operate under time-sensitive conditions where delays can directly affect patient care. In the event of a ransomware attack, this makes healthcare organizations more likely to pay ransoms to restore their systems.

Healthcare data is also valuable as patient records contain personal identifiers, medical histories, and financial information, making them attractive for theft and misuse. Simultaneously, many healthcare institutions face resource constraints, legacy systems, and limited cybersecurity capacity compared to other sectors.

Psychological distress in healthcare settings

The meta-analysis describes psychological distress associated with cyberattacks as “acute psychological distress,” which includes “visceral anxiety, enduring anger, and heightened threat perception.”

In doing so, it deliberately excludes “transient or minor emotional responses such as unease or discomfort,” stressing that true psychological distress involves stronger, more persistent negative emotions.

In healthcare, this distress can affect multiple groups:

Patients

Patients may fear that their personal health data has been exposed or misused, making them reluctant to share accurate information with providers. In turn, this reluctance can lead to missing or incorrect details in their medical history. As a result, clinicians may misinterpret symptoms, overlook important conditions, or order inappropriate tests. It could also delay diagnosis, reduce the treatment efficacy, and in some cases lead to suboptimal care decisions.

Healthcare workers

Doctors, nurses, and administrative staff may experience stress when systems are compromised. When access to electronic health records is interrupted, they may not have the information they need to make accurate clinical decisions, again affecting patient care.

The disruption could also force nurses to rely on manual processes, increasing fatigue, cognitive load, and the risk of possible mistakes.

Institutions

According to the Computer Fraud & Security Journal, businesses affected by a cyberattack may face reputational damage, reduced public trust, and operational uncertainty following an attack.

When patients lose confidence in an institution’s ability to protect PHI and maintain reliable services, they may choose to receive from alternative providers, leading to loss of patients and reduced continuity of care.

Furthermore, operational uncertainty can drive a patient’s decision to move to other providers where they will receive more consistent care.

Why cyberattacks cause psychological distress

1. Complexity and uncertainty

Cyber systems are often poorly understood by the general public. Therefore, the “uncertainty of cyberspace likely means that emotions such as anxiety and fear are likely to drive public responses.”

2. Visibility of the threat

Cyberattacks in healthcare are often difficult to immediately identify, which can increase uncertainty among patients and staff. Since the attack is intangible, the source and extent of a cyberattack are not always clear, making it harder to assess risk, respond quickly, and restore confidence in the system.

3. Attribution ambiguity

As described in the meta-analysis, cyberspace introduces “attributional ambiguity,” which intensifies emotional responses. It is often difficult to identify who is responsible for a cyberattack, which could make such threats feel unpredictable and ongoing.

These factors contribute to vulnerability, as individuals and institutions may not know where the threat is coming from or whether it could happen again.

4. Psychological harm and indirect exposure

The meta-analysis concludes that “cyberattacks can cause high levels of psychological harm—equal even to that caused by conventional political violence and terrorism.” This reframes cyberattacks as technical disruptions that have severe human consequences.

Another insight is that the psychological effects also affect individuals indirectly exposed, like patients hearing about a hospital breach in the news, who may experience anxiety and reduced trust in healthcare systems.

Distress and trust in healthcare systems

Patients must trust that their providers will protect their information and deliver safe care. Cyberattacks can damage this trust, leading to fears of data misuse or identity theft, concerns about system reliability, and doubts about an institution’s preparedness to handle threats.

The meta-analysis also indicates that cyber incidents can lead to “a steep decline in public confidence in their governments’ ability to defend them against harm.”

For example, the ransomware attack on the UK’s National Health Service (NHS) in the WannaCry cyberattack disrupted hospital systems and led to cancelled appointments and restricted access to patient records. The incident raised public concern about the security and reliability of national healthcare systems, contributing to reduced confidence in the ability of public institutions to protect PHI and provide consistent care.

Societal impact

Psychological distress associated with cyberattacks can scale to societal levels. The research notes that such distress can “undermine societal cohesion, and exacerbate cycles of violence.”

In healthcare contexts, this may be reflected in increased public demand for stronger cybersecurity regulations, security, and better scrutiny of healthcare providers. It can also lead to political pressure on governments to respond more aggressively to cyber incidents and strengthen national defenses.

Psychological distress and cycles of escalation

Cyberattacks can also contribute to cycles of escalation. When individuals experience distress, they may support more aggressive responses, including stricter regulations, increased surveillance, or even retaliatory actions at the state level.

For example, in 2024, the Change Healthcare cyberattack caused public concern and disruption across the U.S. healthcare system, affecting billing and prescription services. In response, regulators such as the U.S. Department of Health and Human Services (through its Office for Civil Rights) increased enforcement of HIPAA requirements.

Mitigating psychological distress in healthcare cybersecurity

Organizations must consider the psychological impact of incidents and incorporate strategies that reduce anxiety and maintain trust. More specifically, they must have effective incident response protocols and offer staff training to manage technical and emotional responses.

Healthcare organizations must also improve their cybersecurity infrastructure to prevent future data breaches and maintain transparent communication during and after incidents.

Using HIPAA compliant email to protect trust

Organizations must use a HIPAA compliant email solution, like Paubox, to uphold federal regulations and reinforce institutional credibility. These solutions use advanced security measures to safeguard patients’ PHI during transmission and at rest, mitigating the risk of potential data breaches.

When patients know their communications are secure, it can reduce fear and uncertainty surrounding digital communications with healthcare providers. Overall, it contributes to better data protection, improving trust and emotional well-being.

Learn more: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Why has the healthcare sector become more vulnerable to cyberattacks?

The sector heavily relies on digitization, usage of electronic health records, interconnected systems, and networked medical devices, expanding the number of potential entry points for attackers.

Are healthcare providers required to report cyber breaches?

Yes. Under HIPAA, covered entities must notify affected individuals, the U.S. Department of Health and Human Services, and, in some cases, the media when unsecured protected health information (PHI) is breached.

Notifications must generally be made without unreasonable delay and no later than 60 days after discovery. The notice should describe what happened, the type of information involved, steps individuals should take to protect themselves, what the organization is doing in response, and how to contact the provider for more information.

Read also: Suspect a HIPAA violation? Here's what to do

What is a HIPAA breach?

A HIPAA breach is an unauthorized use or disclosure of PHI that compromises its privacy or security. This includes situations where PHI is accessed, viewed, or acquired without permission, unless a risk assessment determines there is a low probability that the information has been compromised. Examples can include cyberattacks, unauthorized employee access, or accidental disclosure of patient data.