Healthcare ransomware reached crisis levels in 2024-2025, with attacks affecting 93% of healthcare organizations and causing billions in losses. The Ascension Health attack—resulting in a $1.8 billion operating loss and 5.6 million affected patients—exemplifies the sector’s vulnerability and the devastating consequences of successful intrusions.
Healthcare ransomware by the numbers
| Metric | Value |
|---|
| Healthcare orgs attacked (2024-2025) | 93% |
| Average incidents per organization | 43 |
| Incidents disrupting patient care | 72% |
| EHR systems compromised | 52% |
| Average recovery time | 19-23 days |
| 2024 healthcare breaches (US) | 725+ |
| Individuals affected (2024) | 180+ million |
Ascension Health attack deep dive
Organization profile
| Attribute | Details |
|---|
| Type | Nonprofit Catholic health system |
| Hospitals | 140 |
| States | 19 |
| Employees | 150,000+ |
| Annual revenue | $28 billion |
| Rank | One of largest US health systems |
Attack timeline
| Date | Event |
|---|
| February 29, 2024 | Initial compromise via malicious file download |
| February-May 2024 | Attackers maintain access, move laterally |
| May 8, 2024 | IT team detects unusual network activity |
| May 8, 2024 | Core systems begin failing |
| May 9, 2024 | Ascension confirms ransomware attack |
| May 9, 2024 | EMS diversions begin |
| May-June 2024 | Paper-based operations across 140 hospitals |
| Late June 2024 | EHR systems restored (~6 weeks) |
| December 2024 | Full scope disclosed: 5.6M individuals affected |
| January 2025 | Second credit monitoring program launched |
Root cause
| Factor | Details |
|---|
| Initial access | Employee downloaded malicious file |
| Dwell time | ~2 months before detection |
| Attacker | Black Basta ransomware group |
| Servers accessed | 7 of 25,000 |
| Primary EHR | Not directly compromised |
| Data stolen | Files from ancillary servers |
Operational impact
| System | Status during attack | Recovery time |
|---|
| Electronic Health Records | Offline | ~6 weeks |
| Pharmacy systems | Offline | 4+ weeks |
| Laboratory | Degraded | 3+ weeks |
| Radiology/imaging | Degraded | 3+ weeks |
| Scheduling | Offline | 3+ weeks |
| Revenue cycle | Disrupted | Months |
Patient care disruption
| Impact | Details |
|---|
| EMS diversions | Ambulances rerouted from affected facilities |
| Surgery postponements | Elective procedures delayed |
| Medication verification | Manual processes required |
| Paper charting | All patient documentation |
| Test delays | Lab and imaging backlogs |
| Volume decline | 8-12% reduction May-June 2024 |
Financial impact
| Category | Amount |
|---|
| FY2024 operating loss | $1.8 billion |
| Volume decline impact | Significant (May-June) |
| Incident response costs | Not disclosed separately |
| Credit monitoring | Two programs for 5.6M individuals |
| Legal exposure | Class action lawsuits filed |
Data breach scope
| Metric | Value |
|---|
| Individuals affected | 5,599,699 |
| Breach rank (2024) | Third largest healthcare |
| Data types | PHI from ancillary servers |
| Notification | December 2024 |
Black Basta profile
| Attribute | Details |
|---|
| Emergence | Early 2022 |
| Suspected origin | Conti ransomware offshoot |
| Model | Double extortion (encrypt + steal) |
| Estimated extortion | $100+ million since emergence |
| Primary language | Russian |
| Healthcare targeting | Frequent |
Black Basta tactics
| Technique | Description |
|---|
| Initial access | Phishing, credential purchase, vulnerability exploitation |
| Lateral movement | Valid credentials, RDP |
| Data exfiltration | Before encryption |
| Encryption | Custom ransomware |
| Extortion | Leak site threats |
| Payment | Cryptocurrency |
Major 2024-2025 healthcare attacks
| Organization | Date | Attacker | Impact |
|---|
| Change Healthcare | Feb 2024 | ALPHV/BlackCat | $22M ransom, 100M individuals, $2.5B+ costs |
| Ascension Health | May 2024 | Black Basta | $1.8B loss, 5.6M individuals |
| Kaiser Foundation | 2024 | Tracking breach | 13.4M individuals |
| Lurie Children’s Hospital | Jan 2024 | Unknown | 800,000 patients |
| CommonSpirit Health | Oct 2022 | Unknown | 140 hospitals, $160M costs |
| Covenant Health | 2025 | Qilin | 480,000 patients |
Why healthcare is targeted
| Factor | Attacker benefit |
|---|
| Life-safety urgency | Pressure to pay quickly |
| High data value | PHI commands premium prices |
| Aging IT infrastructure | More vulnerabilities |
| Complex environments | Difficult to secure |
| Regulatory pressure | HIPAA violations add leverage |
| 24/7 operations | Downtime intolerable |
| Limited security budgets | Especially smaller facilities |
| Legacy medical devices | Often unpatchable |
Attack evolution
Security researchers note concerning trends in healthcare ransomware:
| Trend | Implication |
|---|
| Backup targeting | Attackers corrupt/encrypt backups first |
| Infrastructure destruction | Beyond encryption to system damage |
| Longer dwell times | More data exfiltration before detection |
| Third-party targeting | Attack vendors to reach healthcare clients |
| AI-enhanced attacks | More sophisticated social engineering |
“We will see more disruptive attacks masquerading as traditional ransomware events. Attackers shifting from simply encrypting data to corrupting backups, damaging infrastructure, or compromising clinical systems in ways that prolong downtime.”
Third-party risk
Third-party outages are emerging as the most significant operational resilience risk:
| Dependency | Risk |
|---|
| Cloud-hosted EHR | Vendor compromise affects all customers |
| Imaging platforms | Single points of failure |
| Revenue cycle management | Financial operations disrupted |
| Telehealth services | Patient access interrupted |
| Lab interfaces | Diagnostic delays |
The Change Healthcare attack demonstrated cascading impacts when a central service provider is compromised.
Regulatory response
HHS enforcement
| Year | HIPAA penalties |
|---|
| 2024 | $42 million (record) |
| 2025 | Trend continuing |
OCR has increased enforcement actions specifically targeting organizations that failed to implement basic controls:
| Control gap | Enforcement focus |
|---|
| Missing MFA | Priority target |
| Poor segmentation | Cited in settlements |
| Delayed patching | Contributing factor |
| Inadequate backups | Aggravating factor |
HIPAA Security Rule update
The proposed rule (late 2025) would mandate:
| Requirement | Current status |
|---|
| MFA for all ePHI access | Often optional |
| Network segmentation | Recommended, not required |
| Encryption (at rest and in transit) | Limited exceptions |
| 72-hour incident reporting to HHS | Not currently required |
| Annual security risk assessments | Required but often inadequate |
| Mandatory vulnerability scanning | Not currently specified |
| Patch management timelines | Not currently specified |
Healthcare industry groups support the intent but raise concerns about compliance costs for smaller providers and rural hospitals.
Recommendations
For healthcare organizations
Technical controls
| Control | Purpose |
|---|
| Offline, immutable backups | Survive ransomware encryption |
| EDR on all devices | Detect lateral movement |
| MFA on all remote access | Prevent credential-based intrusion |
| Network segmentation | Limit blast radius |
| Privileged access management | Control administrative credentials |
| Email security | Block initial phishing attempts |
Operational resilience
| Practice | Implementation |
|---|
| Clinical continuity plans | Paper-based procedures ready |
| Staff training | Downtime procedure familiarity |
| Communication plans | Patient and staff notification |
| Vendor relationships | IR firms and law enforcement contacts |
| Tabletop exercises | Test EHR downtime regularly |
| Third-party assessment | Evaluate vendor security |
For patients
If your healthcare provider experiences a ransomware attack:
| Action | Reason |
|---|
| Continue seeking care | Facilities remain operational |
| Expect delays | Manual processes are slower |
| Bring medications | Paper records may not show current Rx |
| Monitor for identity theft | Healthcare data is valuable |
| Review EOB statements | Watch for fraudulent claims |
| Enroll in credit monitoring | If offered by provider |
Federal resources
| Agency | Resource |
|---|
| CISA | Healthcare Cybersecurity Toolkit |
| HHS HC3 | Threat briefings and advisories |
| FBI | IC3 reporting, field office coordination |
| H-ISAC | Healthcare sector information sharing |
Healthcare organizations should build relationships with FBI and CISA field offices before an incident occurs.
Context
Healthcare ransomware is not a technology problem alone—it’s a patient safety crisis. The 72% of attacks that disrupt patient care represent real risks:
| Risk | Consequence |
|---|
| Delayed diagnoses | Worse outcomes |
| Medication errors | Patient harm |
| Diverted ambulances | Delayed emergency care |
| Postponed procedures | Disease progression |
| Lost records | Care continuity gaps |
The proposed HIPAA Security Rule update acknowledges that voluntary security improvements have not kept pace with the threat. Mandatory controls, while costly, may be necessary to raise the baseline across an industry that remains critically vulnerable.
The Ascension attack—with its $1.8 billion loss, six-week recovery, and 5.6 million affected individuals—demonstrates the catastrophic potential of healthcare ransomware. Yet it was only the third-largest healthcare breach of 2024, behind Change Healthcare’s 100 million affected individuals.
Until healthcare organizations implement robust security controls and the industry develops genuine resilience, ransomware will continue to endanger both organizations and the patients who depend on them.
