TL;DR: Healthcare is the most targeted industry for ransomware, with attack frequency up over 300% since 2020. The Change Healthcare breach exposed 100 million records and caused $22 billion in damages. Ascension Health, CommonSpirit, and dozens of regional hospital systems have been hit in the past two years alone. The crisis is not just financial — ransomware is now a patient safety issue, with measurable increases in mortality during attack periods. The industry's combination of legacy systems, flat networks, massive vendor ecosystems, and chronically underfunded security teams makes it uniquely vulnerable. Here is what happened, why it keeps happening, and what must change.
The Scale of the Crisis
Healthcare ransomware is no longer an occasional headline — it is a sustained campaign against an industry that cannot afford downtime. In 2025 alone, over 300 healthcare organizations disclosed ransomware incidents in the United States. The average ransom demand exceeded $4 million. The average recovery time was 23 days. And the average total cost — including ransom, recovery, legal fees, regulatory fines, and lost revenue — exceeded $11 million per incident.
The targeting is deliberate. Ransomware operators know that hospitals will pay. When the alternative is diverting ambulances, cancelling surgeries, and reverting to paper records in a modern healthcare system designed entirely around electronic workflows, the calculus is straightforward. Healthcare organizations pay ransoms at a higher rate than any other industry — and attackers have noticed.
The attack surface is expanding, not shrinking. Telehealth adoption, IoT medical devices, cloud migration, and the growing dependence on third-party healthcare technology vendors have all increased the number of entry points. Every connected infusion pump, every cloud-hosted EHR, and every vendor VPN connection is a potential attack vector.
Case Studies: What Went Wrong
Change Healthcare / UnitedHealth Group (February 2024)
The ALPHV/BlackCat ransomware group compromised Change Healthcare — the largest healthcare payment processor in the United States, handling approximately one-third of all US healthcare claims. The attack disrupted claims processing nationwide. Pharmacies could not process prescriptions through insurance. Providers could not submit claims or receive payments. Small practices and rural hospitals, operating on thin margins, faced cash flow crises within days.
Over 100 million patient records were exposed — the largest healthcare data breach in US history. UnitedHealth Group paid a reported $22 million ransom, and total costs exceeded $22 billion including recovery, business disruption, and the cascading impact across the healthcare system. The root cause was reported to be compromised credentials on a Citrix remote access portal that did not have multi-factor authentication enabled.
Ascension Health (May 2024)
Ascension, one of the largest nonprofit health systems in the US with 140 hospitals across 19 states, was hit by the Black Basta ransomware group. The attack forced clinicians across the entire system to revert to paper records. Electronic health records, laboratory systems, pharmacy operations, and medical imaging were all disrupted. Ambulances were diverted. Elective procedures were cancelled system-wide. The attack demonstrated that even the largest, best-resourced health systems are not immune — and that the blast radius of a single ransomware event can span an entire national health system.
CommonSpirit Health (October 2022)
CommonSpirit Health, with 140 hospitals and over 1,000 care sites across 21 states, experienced a ransomware attack that disrupted operations for weeks. The financial impact exceeded $160 million in direct costs. Patient care was disrupted across multiple states, with delayed imaging, cancelled appointments, and forced use of backup paper processes. The incident exposed the fragility of centralized IT infrastructure in large health systems — a single compromise cascading across hundreds of care sites.
Why Healthcare Is Uniquely Vulnerable
Legacy Systems and Medical Devices
Healthcare runs on technology that would be considered unacceptable in any other industry. Medical devices — MRI machines, CT scanners, infusion pumps, patient monitors — frequently run Windows XP, Windows 7, or embedded operating systems that have not received security patches in years. These devices cost millions of dollars and have 15-20 year lifecycles. They cannot be patched without FDA recertification in some cases. They cannot be replaced on security grounds alone when the capital budget is committed for the next decade.
The result is networks with hundreds of unpatched, unmonitorable devices connected to the same infrastructure as electronic health records, billing systems, and administrative workstations. A single compromised workstation on a flat network has a direct path to every medical device, every patient record, and every operational system.
Flat Network Architecture
Network segmentation in healthcare is the exception, not the rule. Medical devices, clinical workstations, administrative systems, and guest Wi-Fi frequently share the same network segments. Biomedical engineering teams resist segmentation because medical devices require network connectivity to function, and segmentation introduces complexity that can disrupt patient care workflows. The result is that compromise of any single system provides lateral movement access to the entire hospital network.
Third-Party Vendor Ecosystems
A typical hospital has 50-100 third-party technology vendors with some level of network access — EHR vendors, medical device manufacturers, billing processors, lab information systems, telehealth platforms, and IT managed service providers. Each vendor connection is a trust boundary. The Change Healthcare breach demonstrated that compromise of a single vendor can cascade across the entire healthcare system. Vendor risk management in healthcare is often limited to annual questionnaires that do not reflect actual security posture.
Understaffed Security Teams
Healthcare security budgets are a fraction of what financial services, technology, or government organizations spend. Many regional hospitals have zero dedicated security staff — IT generalists handle security alongside helpdesk tickets, network maintenance, and EHR support. The organizations most likely to be targeted by ransomware are the least equipped to defend against it.
The Patient Safety Dimension
Ransomware in healthcare is not just a technology problem or a financial problem — it is a patient safety crisis. Research published in JAMA Internal Medicine and other peer-reviewed journals has documented measurable increases in patient mortality during and after ransomware attacks on hospitals:
- Emergency department diversions: When a hospital's systems go down, ambulances are diverted to other facilities. Increased transport times for stroke, heart attack, and trauma patients directly impact outcomes. Neighboring hospitals, suddenly receiving diverted patients, face capacity strain that degrades care for all patients.
- Medication errors: Without electronic health records, clinicians lose access to medication histories, allergy information, drug interaction checking, and dosing calculators. Paper-based workarounds increase the risk of prescribing errors, dosing errors, and adverse drug interactions.
- Delayed diagnostics: Laboratory results, imaging studies, and pathology reports cannot be transmitted electronically. Results are communicated by phone, fax, or physical transport — introducing delays that impact time-sensitive diagnoses.
- Surgical cancellations: Operating rooms depend on electronic systems for scheduling, surgical planning, anesthesia records, and device integration. Ransomware-driven cancellations delay care for patients with time-sensitive conditions.
Major Healthcare Breaches: 2023-2026
| Organization | Date | Attack Vector | Records Affected | Financial Impact |
|---|---|---|---|---|
| Change Healthcare | Feb 2024 | Compromised Citrix credentials (no MFA) | 100M+ | $22B+ (total system impact) |
| Ascension Health | May 2024 | Black Basta ransomware | 5.6M | $1.8B+ (estimated) |
| CommonSpirit Health | Oct 2022 | Ransomware (initial vector undisclosed) | 623K | $160M+ |
| HCA Healthcare | Jul 2023 | Third-party storage compromise | 11M | Undisclosed (class action pending) |
| Prospect Medical | Aug 2023 | Rhysida ransomware | 1.3M+ | $100M+ (estimated) |
| NHS (UK) | Jun 2024 | Synnovis lab provider compromise | 300K+ | 10,000+ delayed procedures |
Medical Device Security: The Unaddressed Risk
Medical devices represent the most challenging security gap in healthcare. These devices are designed for clinical function, not cybersecurity. Many run embedded operating systems with no mechanism for security updates. They use default credentials that cannot be changed without voiding the warranty. They communicate using unencrypted protocols on the clinical network. And they are increasingly connected — not just to the hospital network but to cloud-based monitoring and analytics platforms.
The FDA has strengthened guidance on medical device cybersecurity, requiring manufacturers to provide a Software Bill of Materials (SBOM) and demonstrate cybersecurity capabilities for new devices. But the installed base of vulnerable devices is enormous, and hospitals cannot simply replace millions of dollars of equipment on security grounds. The pragmatic approach is network segmentation — isolating medical devices on dedicated network segments with strict access controls and monitoring. In practice, most hospitals have not implemented this segmentation.
What Healthcare Organizations Must Do
The path forward requires investment, architectural changes, and a fundamental shift in how healthcare organizations prioritize security:
- Network segmentation: Isolate medical devices, clinical workstations, administrative systems, and guest networks on separate segments with controlled access between them. This is the single highest-impact defensive measure for most healthcare organizations.
- Multi-factor authentication everywhere: The Change Healthcare breach — a $22 billion event — was caused by a remote access portal without MFA. Every external-facing authentication point must require MFA. No exceptions.
- Endpoint detection and response: Deploy EDR on every system that supports it. Medical devices that cannot run EDR agents should be segmented and monitored at the network level.
- Backup strategy with offline copies: Ransomware groups specifically target backup infrastructure. Backups must include offline (air-gapped) copies that cannot be reached from the production network. Test restoration regularly — untested backups are not backups.
- Vendor risk management: Move beyond annual questionnaires to continuous monitoring of vendor security posture. Require MFA for all vendor remote access. Segment vendor connections from the broader network.
- Incident response planning: Develop and regularly exercise ransomware-specific incident response plans that address clinical workflow continuity, not just IT recovery. Include downtime procedures that clinicians have actually practiced.
- Regular penetration testing: Test network segmentation, vendor access controls, and medical device isolation through professional security assessments that simulate real attack scenarios.
Protect Your Healthcare Organization
Lorikeet Security provides penetration testing and security assessments tailored to healthcare environments — including network segmentation validation, medical device security assessment, and HIPAA-aligned testing. Identify vulnerabilities before attackers exploit them.
