Why ransomware attacks are so successful in healthcare

When a ransomware attack hit a 44-bed rural hospital in Illinois in 2021, the facility spent three months running on paper but never recovered financially. The hospital closed and for that community, the nearest alternative was now miles further away, a distance that, in a cardiac emergency, is the difference between life and death.

Cyberattacks and ransomware events can be devastating for healthcare organizations. The incident at Illinois is far from an outlier; it’s an example of what happens when ransomware meets a sector whose security was already stretched thin.

What the numbers actually show

Ransomware in healthcare has moved well past the point of being a data security problem. A cross-sectional study published in JAMA Network Open in May 2025, which analyzed every ransomware attack on HIPAA-covered entities from 2010 to 2024, found that ransomware surged from zero cases in 2010 to more than 30% of all healthcare data breaches by 2021. Of the 732 million patient records compromised across those 14 years, hacking and IT incidents with ransomware as the dominant subset accounted for 88% of all records exposed.

The financial toll matches the clinical one. According to Microsoft Threat Intelligence, 389 US healthcare institutions were hit by ransomware in a single fiscal year, with organizations losing an average of $900,000 per day in downtime alone. Of the 99 healthcare organizations that admitted paying ransoms and disclosed the amount, the average payment was $4.4 million. Ransomware attacks have surged 300% since 2015, and 67% of surveyed healthcare organizations reported experiencing an attack in the past year. Of those, 53% paid the ransom, up from 42% the year before.

For context on the human cost: a study cited in STAT News by three health economists found that in-hospital mortality rises from roughly 3 in 100 Medicare patients to 4 in 100 during a ransomware attack, estimating between 42 and 67 Medicare patient deaths attributable to ransomware attacks from 2016 to 2021. The researchers noted the true figure is likely higher when non-Medicare populations are included.

According to Paubox's 2025 Healthcare Email Security Report, ransomware attacks on healthcare have surged 264% since 2018, according to HHS OCR data, and malware and ransomware remain one of the most common attack vectors tracked in email-related healthcare breaches.

Read more: What is ransomware? | What is phishing? | What is Ransomware-as-a-Service?

Why healthcare keeps getting hit

Part of the answer is obvious, and part of it is counterintuitive. The obvious part: healthcare holds high-value data, runs systems that cannot afford downtime, and has historically underinvested in cybersecurity relative to other critical sectors. The counterintuitive part: the very act of prioritizing patient care creates the conditions attackers exploit.

"Because budgets are tight and providers must prioritize spending on core patient services, cybersecurity has often been underfunded, leaving healthcare organizations more vulnerable to attack," notes the CSC 2.0 report on healthcare cybersecurity, produced by the group continuing the work of the congressionally mandated Cyberspace Solarium Commission.

HIPAA has arguably made this worse in a specific way. The compliance focus on data confidentiality has directed investment toward protecting what data contains rather than ensuring systems can withstand and recover from an attack. Data integrity and availability, the properties that ransomware directly attacks, have remained secondary concerns. Organizations have privacy controls but weak resilience.

Hospital mergers compound the problem. With merger activity rising 23% over 2022 and reaching its highest level since 2020, according to Chief Healthcare Executive reporting, newly consolidated systems inherit patchwork infrastructure across multiple locations, legacy systems from predecessor organizations, and security configurations that were never designed to work together. Consolidation without investment creates a larger attack surface with the same thin security coverage.

Devices can also play a major role. Doctors Christian Dameff and Jeff Tully, Co-Directors of the University of California, San Diego Center for Healthcare Cybersecurity, point out that on average, 70% of a hospital's endpoints are not computers but medical devices, such as CT scanners, infusion pumps, and patient monitoring systems connected to networks but rarely updated or monitored with the same rigor as workstations. An attacker who moves laterally from a compromised email account to an unpatched medical device has options that no other sector provides.

How the attack actually begins

Microsoft Threat Intelligence analysis of 13 hospital systems found that 93% of malicious cyber activity observed was related to phishing campaigns and ransomware, with most activity originating from email-based threats. Jack Mott, who previously led enterprise email threat intelligence at Microsoft, is direct about what that means: "Email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks."

Attackers are not sending generic lures. Mott notes that campaigns targeting healthcare use healthcare-specific jargon, such as references to autopsy reports, patient records requests, and insurance claim notifications, to increase credibility with clinical staff who are under pressure and moving fast. The urgency that defines a healthcare work environment is the same psychological lever attackers pull.

From there, the path to ransomware deployment follows a consistent pattern. Credentials stolen through phishing or harvested from an unpatched remote access gateway, as happened in the Change Healthcare attack, give attackers a foothold. Network reconnaissance follows, mapping out critical systems and identifying the infrastructure that will cause maximum disruption when encrypted. Then comes deployment, often within hours of that reconnaissance completing.

"Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours," Mott explains. "They target essential infrastructure, patient records, diagnostic systems, and even billing operations to maximize the impact and pressure on healthcare organizations to pay the ransom."

The Change Healthcare breach in February 2024 illustrated how far that impact can spread. A PMC analysis of the attack found it compromised the protected health information of 100 million individuals, disrupted care delivery nationwide, and incurred $2.4 billion in response costs. It was a single ransomware attack on a reimbursement processor that prevented 80% of US healthcare providers and pharmacies from verifying insurance or processing claims.

The ripple nobody expects

One of the most studied effects of healthcare ransomware is what happens at hospitals that were not attacked. A study published in JAMA Network Open on ransomware attacks against four hospitals found that the two unaffected neighboring facilities absorbed the displaced emergency volume, and the results were severe. Stroke code activations nearly doubled, from 59 to 103. Confirmed strokes rose 113.6% and cardiac arrest cases surged 81%. The survival rate for out-of-hospital cardiac arrests with favorable neurological outcomes collapsed from 40% to 4.5%. EMS arrivals at unaffected hospitals jumped 35.2%. Median waiting room time increased from 21 minutes to 31 minutes.

No ransom was demanded at those two hospitals. No system was encrypted and yet patients died.

What the threat actor landscape looks like now

Ransomware in healthcare is no longer primarily the work of individual criminals. Microsoft Threat Intelligence tracks several organized groups with documented healthcare targeting. Lace Tempest operates under a Ransomware-as-a-Service model, enabling affiliates to deploy ransomware with minimal technical expertise. Vanilla Tempest has targeted US healthcare with INC ransomware procured through RaaS providers since at least July 2022. Nation-state actors have entered the picture too: Iranian threat actors were identified as the most active in targeting healthcare organizations in 2024, with the US government issuing a specific warning in August 2024 about Lemon Sandstorm, an Iran-based group using unauthorized network access to US healthcare organizations to profit from future ransomware attacks by apparently Russian-affiliated groups.

The RaaS model is what drives the scale. "RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks," Mott explains. "These platforms often include a comprehensive suite of tools, encryption software, payment processing, and even customer service for negotiating ransom payments. This turnkey approach enables a wider range of threat actors to execute ransomware campaigns, leading to an uptick in the number and severity of attacks."

Where healthcare is most vulnerable

Rural hospitals face conditions that make every other vulnerability worse. A single IT generalist, someone skilled at password resets and printer problems but without specialized cybersecurity training, is often the entire security function. Business continuity plans, where they exist at all, were written for scenarios that predate modern ransomware. Backups, if they exist, may not have been tested. Margins are thin enough that a three-month disruption, as in the Illinois case, can make a closure inevitable.

"These IT generalists are used to dealing with things like, 'I can't print, I can't log in, what's my password?'" Dameff explains. "They're not cybersecurity experts. They don't have the staff, they don't have the budget, and they don't even know where to start."

According to Paubox's Rural Healthcare report, rural and small healthcare organizations face concentrated versions of every vulnerability that makes healthcare a ransomware target, including limited IT staff, older infrastructure, thin margins, and high dependence on email as the primary communication and workflow tool. These are not organizations that can absorb a $4.4 million ransom demand, or even a three-month recovery.

FAQs

Why do healthcare organizations keep paying ransoms when experts say not to?

Patient care cannot wait for a weeks-long recovery from encrypted backups. When clinical systems go down, the calculation changes from a security decision to a patient safety one. Organizations that can recover quickly from clean backups have more options. Those without reliable backups face a different math pay and restore in days, or spend months rebuilding while patients are diverted elsewhere.

What makes email the primary entry point for ransomware in healthcare?

Healthcare relies on email more heavily than most sectors for referrals, lab results, scheduling, billing communications, and coordination between providers. That volume creates more opportunities for a malicious message to reach someone moving quickly, and it creates more scenarios where an urgent-looking email feels credible. Microsoft Threat Intelligence found 93% of malicious activity observed across 13 hospital systems was email-based.

How does a rural hospital protect itself with limited resources?

Priority goes to the highest-impact basics: MFA on all remote access systems, offline backups tested regularly, and pre-delivery email filtering that stops phishing before it reaches staff. These three controls address the most common entry points compromised credentials via phishing, unpatched remote access vulnerabilities, and email-delivered malware without requiring a large security team to maintain.

Does paying the ransom actually restore access?

Not reliably. Paying confirms to attackers that the organization is willing to pay, which increases the likelihood of future targeting. Recovery is also not guaranteed; some organizations pay and receive non-functional decryption keys, or find that data was exfiltrated and published anyway. The average admitted payment of $4.4 million does not include downtime costs, recovery costs, regulatory exposure, or reputational damage.

What is the connection between ransomware and HIPAA compliance?

A ransomware attack that encrypts or exfiltrates PHI is presumed to be a HIPAA breach unless the organization can demonstrate a low probability that the information was compromised. That triggers the Breach Notification Rule notification to affected individuals within 60 days, media notification in affected states for breaches over 500 individuals, and reporting to HHS OCR. OCR has increasingly used ransomware investigations to assess whether organizations had adequate security controls in place before the attack.

Learn more: Paubox Inbound Email Security | Paubox's 2026 Healthcare Email Security Report | Paubox Rural Healthcare Report