Ransomware drives US health data breaches

A new study led by researchers from Michigan State University, Yale University and Johns Hopkins University reveals that ransomware attacks—which involve a hacker putting encryption controls into a file and then demanding a ransom to unlock the files—have become the primary driver of health care data breaches in the United States, compromising 285 million patient records over 15 years.

Published May 14 in JAMA Network Open, the study provides the first comprehensive analysis of ransomware’s role in health care breaches across all entities covered by privacy laws—hospitals, physician practices, health plans and data clearinghouses—from 2010 to 2024.

“Ransomware has become the most disruptive force in health care cybersecurity,” said John (Xuefeng) Jiang, Eli Broad Endowed Professor of accounting and information systems in the MSU Broad College of Business and lead author of the study. “Hospitals have been forced to delay care, shut down systems and divert patients—all while sensitive patient data is held hostage.”

The study found that although ransomware accounted for just 11% of breaches in 2024 by number, those attacks alone were responsible for 69% of all patient records compromised that year. Since 2010, ransomware incidents have contributed to the exposure of 285 million patient records—many of which likely involve multiple breaches of the same individuals.

In addition to Jiang, the research team includes Joseph Ross, professor at the Yale School of Medicine, and Ge Bai, former doctoral student in the MSU Broad College of Business and now professor of accounting and health policy at Johns Hopkins University.

Key findings of the study include:

• Ransomware breaches increased from 0 in 2010 to 222 in 2021, accounting for nearly one-third of all major health care breaches that year.
• The overall share of breaches caused by hacking or information technology incidents surged from 4% in 2010 to 81% in 2024.
• Of the 732 million total patient records exposed between 2010 and 2024, 88% (643 million records) were linked to hacking-related incidents, including 39% (285 million) specifically from ransomware.

These numbers likely underestimate the true extent of the problem due to underreporting, reluctance to disclose ransom payments and the exclusion of smaller breaches affecting fewer than 500 individuals.

“Ransomware attacks expose just how fragile our digital health infrastructure has become. Health care organizations operate under immense pressure, and ransomware attacks don’t just breach patient privacy—they disrupt service delivery, erode trust and lead to personnel spending time, effort and expense on activities that do not improve patient care,” said Ross.

This new research builds on the team’s prior work documenting the scope and causes of data breaches in the health sector. Earlier studies showed that internal errors by health care providers—not hackers—were responsible for more than half of all breaches, including misdirected emails, lost devices and unauthorized employee access.

In a 2019 study, the team was the first to classify the specific types of information leaked in health care breaches, finding that over 70% of breaches compromised sensitive demographic or financial data—such as Social Security numbers, birth dates and bank accounts—that could lead to identity theft or financial fraud. In contrast, breaches involving sensitive medical information, such as mental health or cancer diagnoses, were far less frequent.

“Whether it’s insiders making mistakes or criminal groups deploying ransomware, the effect on patients is the same: their most personal data is at risk,” said Bai. “By understanding what’s being targeted, we can help health care organizations strengthen their defenses.”

The researchers suggest several steps federal regulators can take to reduce future risks:

• Require hospitals and insurers to report whether ransomware was involved in a breach.
• Update breach severity assessments to reflect not just how many records were compromised, but how much care was disrupted.
• Monitor cryptocurrency flows to make ransom payments harder for attackers to collect.

“Health care providers have limited cybersecurity resources, so it’s essential to focus protection on the most sensitive types of information,” said Jiang. “The solutions are within reach—what we need now is coordination, transparency and urgency.”