Recent research conducted by experts from Michigan State University, Yale, and Johns Hopkins has identified ransomware as the primary factor behind health data breaches in the United States. This malicious software compromises victims’ files or systems, demanding payment in exchange for regaining access to compromised data.
Notably, four hospitals in Michigan have fallen victim to ransomware attacks, with Michigan Medicine experiencing a significant breach affecting over 55,000 patient records. McLaren Health Care leads the incident tally, reporting 2.5 million records compromised due to these cyber incidents.
The study indicates that over the past 15 years, hackers have exposed an alarming 285 million patient records nationwide. John Jiang, a professor of information systems at Michigan State University and the study’s lead author, discusses the specific types of data targeted by cybercriminals. These often include critical personal information such as Social Security numbers, driver’s license details, and birthdates—data that criminals can exploit for fraudulent activities or sell on the dark web.
According to Jiang, health care providers often lack adequate cybersecurity resources. This deficiency emphasizes the urgent need for these institutions to protect sensitive information, including the establishment of separate systems dedicated to safeguarding personal data.
In 2024, ransomware accounted for merely 11% of health care breaches on a national scale; however, it was responsible for compromising about 70% of all patient records affected. This finding builds upon previous studies that attributed more than half of health care data breaches to internal errors, such as lost devices and misdirected emails rather than external cyberattacks.
Jiang raises concerns about the potential health risks posed by data breaches, particularly when hackers manipulate critical patient information. For instance, if a patient’s allergy to a specific medication is incorrectly altered, this could lead to severe health consequences or even fatalities.
In light of these findings, the researchers call on federal regulators to enforce mandatory reporting of ransomware attacks by hospitals and insurers. They also advocate for a reevaluation of how breach severity is assessed, suggesting that care disruptions should be included. Additionally, tracking cryptocurrency transactions could be a vital step to deter ransomware payments.
This study highlights the urgent need for enhanced cybersecurity measures in the health care sector. By understanding and applying frameworks such as the MITRE ATT&CK Matrix, which details adversary tactics and techniques—like initial access, persistence, and privilege escalation—health care organizations can better fortify themselves against future threats.
