Are we resilient yet? A hard look at a decade of cyberattacks that shaped healthcare

Threat actors found a prime target in healthcare in 2016 and have evolved their cyberattack tactics to ensure mass disruption. Starting with ransomware that disabled entire health systems, these cybercriminals (particularly during the pandemic and Change Healthcare) have showed healthcare its biggest pain points and challenges. 

However, those who choose to join healthcare cybersecurity teams do so with one keen mission: patients. And that binding factor has empowered organizations to band together for the greater benefit, as the one constant phrase for healthcare cyber is: ‘We’re only as strong as our weakest link.’ 

While the list of incidents and trends across the last decade of disruptive healthcare cyberattacks have a lot of names and concerning data points (and patient safety risks), healthcare leadership should also note another less obvious theme: that in times of greatest disruption, banding together as an industry has moved the needle on healthcare cybersecurity and reduced disruptions. 

Throughout the decade, it’s been very clear that some healthcare organizations lack the expertise or resources needed execute the strategy needed to defend against the constant barrage of attacks – at least not on their own. 

The examination of the key incidents that shaped the sector in these last 10 years should concretely determine the importance of smart partnerships to fill these gaps, as well as the importance of threat sharing with peers to fill in gaps and to the overall benefit of sector resilience. 

Key ransomware incidents from 2016 – 2025

2016: A sharp new reality 

Over the course of the year, the healthcare sector became a clear target for cybercriminal activity leveraging a steady stream of ransomware attacks, hacking incidents, and outages. These incidents included Hollywood Presbyterian (February 2016, Methodist Hospital in Kentucky (March 2016), Medstar (March/April 2016), and Appalachian Regional Healthcare (September 2016). 

By mid-year, extortion was prevalent – where hackers would gain access to the network, exfiltrate data, then hold it for ransom – without disrupting operations. A hacker with the handle Thedarkoverlord notoriously targeted healthcare and stole troves of data by hacking vulnerabilities in the network. 

The first hacks began in in (June 2016) with the exfiltration of data tied to 655,000 patients put up for sale on the dark web for 151 to 607 bitcoins, or $100,000 to $395,000 at the time.  

While data extortion and associated ransomware demands became par for the course for healthcare ransomware victims, thedarkoverlord wreaked havoc on healthcare providers and other industries for several years before a key member of the hacking group was found and extradited in 2019. The group was later believed to be behind the attack on Hollywood Presbyterian. 

2017: One target, global disruption  

Two global cyberattacks deployed in May and June by two different nation-state groups revealed another layer of tactics and the critical vulnerabilities of the digitally connected world. 

The Global WannaCry Cyberattack deployed on May 12, 2017 would become one of the most talked about incidents over the year. A group called the ShadowBrokers (which claimed to have access to NSA tools in July 2016) exploited a known vulnerability in Microsoft with an NSA hacking tool known as ExternalBlue, causing the WannaCry attack. 

WannaCry infected more than 300,000 computers across the globe and millions of dollars in damage. 

What was interesting about WannaCry was the impact on organizations that were not targeted by the ransomware, including the National Health Service in England and Scotland that saw disruptions for several weeks after the initial attack. WannaCry crippled the health system’s ability to treat patients, diverted ambulances, and blocked access to patient data. 

The cyberattack had a chilling effect on businesses given the rate of proliferation and disruption. Had not an attacker found the kill switch within a few hours of deployment, the damage would have been exponentially worse. For healthcare, the attack shined a light on a massive challenge that remains even today: failure to timely patch known vulnerabilities leaves the door open to attacks, even if the organization is not a prime target. 

One month later,  another cyberattack ripped across the world in a similar fashion The NotPetya cyberattack deployed in June 2017 disrupted services, and it began with a software update of a Ukraine-based tax accounting software. NotPetya signaled what was to come on supply chain attacks: mass disruption and hefty financial losses. Some hospitals infected by NotPetya were reportedly forced to replace entire networks corrupted by the attack. At least 10 US healthcare providers were impacted, as well as Nuance, Merck, Maersk, and a great number of businesses across Ukraine for a number of weeks. 

2018: The year of SamSam and Extortion 

The FBI’s Internet Crime Complaint Center saw a 242% increase in extortion-related complaints in 2018 with a total of 51,146, accounting for more than $83 million in losses. Meanwhile, 1,493 ransomware incidents were reported to IC3 in 2018. While every incident is not reported to the FBI, the data paints an interesting picture of the year – highlighted by weekly, and sometimes daily reports, of extortion victims hitting the headlines. 

SamSam preyed mostly on healthcare vulnerabilities in force, and within the first few months of emerging, the attackers made more than $6 million for their efforts. The group emerged in 2016 but caught its stride in 2018, hitting multiple hospitals and Allscripts all within the first few weeks of January. The electronic health record vendor went down on Jan. 18, after SamSam infected two of its data centers in North Carolina. Provider organizations impacted by the outage reported canceled appointments, care disruptions and significant business interruption and disruption and lost revenues. 

Another attack likely caused by SamSam hit Labcorp in July 2018, forcing a shutdown of its network, cutting off access to the LabCorp systems, and causing delays in test processes. LabCorp quickly contained the attack, but in the 50 minutes between detection and mitigation, the ransomware encrypted 7,000 systems and 1,900 servers – 350 of which were production servers. 

2019: Massive data breaches and a ransomware resurgence 

Nearly $2 trillion was lost to cybercrime in 2019, with cybercriminals locking up several local government systems in the US, including Baltimore and Capital One experiencing one of the largest banking hacks in history. 

For healthcare, the first half of the year was dominated by data breaches in 2019, with potentially more than 25 million patient records breached by the midway point of the year. For context, just 15 million patient records were reported as compromised from 503 incidents in 2018. Most of these staggering numbers came from a third-party vendor hack that rippled across the healthcare sector: American Medical Collection Agency, a billing services vendor hacked for eight months between August 1, 2018, and March 30, 2019, impacting Quest and LabCorp, as well as dozens of providers. 

Throughout the year multiple vendors reported ransomware related incidents and data breaches – often well outside HIPAA reporting requirements and with multiple providers impacted. The majority were caused by hacking, with threat detections on healthcare endpoints increasing by 60 percent, year over year.  

However, by the year’s end, these numbers remained stagnant – and ransomware resurged with a vengeance. The rapid increase in the severity of ransomware attacks spurred several alerts and guidance from a host of stakeholders, including Microsoft, the Office for Civil Rights, and security leaders. 

Several hospitals throughout the year saw care disruptions, but not as prevalent as in previous years. In mid-November, Ryuk ransomware actors hit Virtual Care Provider, a tech company servicing more than 100 nursing homes and long-term care facilities and demanded $14,000,000 in bitcoin as ransom. The nursing home organizations’ 80,000 computers across 45 states were unable to access patient records, pay employees, or order medications for several weeks. 

In total, 764 healthcare providers fell victim to ransomware in 2019, including two of the largest healthcare breaches in 2019, according to Emsisoft. These attackers were likely not looking for patient data in these attacks but seeking to disrupt operations for a quick payout. Despite hacker intentions, several providers permanently lost data after successful ransomware infections, while most healthcare victims reported disruptions. 

By the end of the year, two providers permanently closed after separate ransomware incidents made the cost of recovery untenable. Security researchers warned that ransomware was just getting started – and in 2020, amidst the global pandemic, the prediction proved painfully accurate. 

2020: A global pandemic and COVID-19 

By March 2020, a large portion of non-essential employees were working remotely, and businesses were rapidly deploying technology in response to the highly contagious, fast-moving COVID-19 pandemic. 

The healthcare sector moved swiftly to add on or implement new technologies, including telehealth capabilities at scale, as many hospitals and health systems were inundated with emergency patients and a global pandemic never experienced in the modern age. 

Reports during the first half of the year showed reported ransomware incidents significantly declined from the huge wave of attacks that ended 2019. By May, the surge of ransomware attacks seen at the end of 2019 had dissipated with just 25 providers impacted by the virus in the first quarter, compared to the 191 faced during the same time period of the previous year. 

While there were hacking groups who vowed not to hit healthcare industries, pharmaceutical companies, research facilities, and other companies tied to the pandemic response fell victim to targeted attacks, often led by nation state actors. Security leaders and federal agencies warned that threat actors were still executing attacks, despite fewer reports. 

Almost like clockwork, the second half of 2020 saw a resurgence of attacks, with nation-state actors preying on the healthcare sector in record droves by the fall. The FBI began investigating a wave of targeted ransomware attacks in October, with at least one dozen US hospitals, health systems, and healthcare providers falling victim to ransomware. 

Sky Lakes Medical Center and University Health System, one of the largest US health systems, were part of this wave of attacks tied to Ryuk. By the end of the year, 560 healthcare providers fell victim to the malware, more than quarter of the total 2,354 US entities hit by ransomware in 2020. 

2021: Supply chain cyberattacks lead to widespread outages 

By 2021, threat actors seemed to shift from testing out attacks on supply chain and critical infrastructure – to full-on targeting of healthcare, as dozens of hospitals and other provider organizations fell victim to attacks. By May, the rate of ransomware attacks seen across the globe increased by 102 percent, according to Check Point data. 

From April to May, April 2021, the healthcare and utility sectors were the most targeted by ransomware threat actors with an average of 1,000 entities impacted by ransomware attacks each week: a 21 percent increase during the first trimester of 2021 and 7 percent rise in April, alone. 

The average downtime doubled in 2021, as well, from about 15 days to at least four weeks, and the scope of attacks seen in 2021 had a chilling effect on just how bad these outages could be. 

Supply chain cyberattacks were not a new phenomenon, as seen with previous WannaCry and NotPetya attacks. However, the lasting impact and fallout on critical infrastructure this year had not been seen before. These attacks include: Accellion FTP (a backdoor vulnerability hack that impacted dozens of connected providers and millions of patients), SolarWinds (which affected multiple critical infrastructure industries and connected organizations), and Colonial Pipeline (leaving the Southeast region cut off from gas access). 

The repercussions of these cyberattacks rippled across the country and led to the White House coordinating efforts to enhance the cybersecurity of all critical infrastructure organizations, including healthcare. 

Meanwhile, healthcare saw some of the longest periods of downtime brought on by a cyberattacks ever in its history. 

In the U.S., a cyberattack on Scripps Health in May led to more than a month of downtime with later reports highlighting the impact on patient safety – not just for the victimized hospital, but the regional hospitals dealing with the overflow of patients diverted to the hospital.   

In total, the ransomware attack, over four weeks of electronic health record downtime procedures, and theft of some patient data cost Scripps Health $112.7 million in estimated revenue loss and incremental expenses. 

The Scripps cyberattack kicked off a steady stream of targeted healthcare hacks, including Ireland Health Executive Service. The HSE cyberattack was the largest attack against any health service computer system in history: impacting the HSE’s 54 public hospitals along with other hospitals that depended on HSE’s IT infrastructure. 

Deployed by Conti, the ransomware group successfully exfiltrated 700 GB of unencrypted data, and over 75 percent of the HSE IT environment was encrypted, restricting access to medical records and forcing hospital staff to revert to pen and paper. 

The steady stream of cyberattacks and correlated downtime did not stop with the changing year, as a payroll vendor hack impacted dozens of providers and multiple hospitals falling into downtime after ransomware attacks at the start of the year. 

2022: A Series of Unfortunate downtimes and Privacy Issues 

The rate of cyberattacks and associated downtime seen in 2021 drove ECRI to name cyberattacks the top health tech hazard for 2022. For example, the disclosure of a highly hackable Log4j vulnerability urged prompt patching across all sectors. But the lack of visibility and reliance on legacy tech saw many providers struggling to find and remediate the threat, leading to multiple hacks and disruptions. 

From January until December, a steady stream of hospitals and health systems reported downtime from related cyberattacks – including Eye Care Leaders, CommonSpirit Health, Tenet Healthcare, Memorial Health System, Indian Health Service, health plans, and regional hospitals. The UK National Health Service also went down, just one year from a similar outage at its Ireland HSE. 

Privacy protection, particularly data shared from health apps, became a keen focus of the FTC after the fall of Roe v Wade. The timing coincided with a ProPublica report that revealed nearly all healthcare sites, at the time, were inadvertently sharing patient data with third parties due to marketing pixels. The report showed Meta’s Pixel tool was scraping health data from hospital websites led to patient outcry, multiple massive breach reports from healthcare entities, denials from Facebook, and more than 50 lawsuits over the alleged privacy violations. 

For healthcare, the report reaffirmed the need to break down siloes between departments to make cybersecurity part of all tech decisions to ensure compliance and protect digital health environments. Soon after, the FTC began enforcing its own health data rule to ensure health apps were protecting consumer health data. 

2024: Change Healthcare changed public understanding of patient safety ties 

If the Colonial Pipeline and SolarWinds incidents changed the public’s understanding of critical infrastructure risks, Change Healthcare confirmed the dire patient safety risks tied to unexpected downtime. 

As seen in trends throughout the years, unexpected, cyber-induced downtime wreaks havoc on operations, revenue, patient wait times, and technology. In February, the Change Healthcare ransomware attack left an indelible impact on healthcare delivery organizations across the U.S. for several weeks, disrupting access to prescriptions and providers’ ability to pay employees and file insurance claims. 

Deployed by the ransomware group known as ALPHV or BlackCat, the Change Health cyberattack wrought the worst-case scenario long dreaded by industry stakeholders. 

The outage, however, yielded broader public awareness thanks to providers speaking openly about their struggles with the incident (unable to bill patients, or get paid for services), while patients shared stories of being admitted to the hospital to receive life-saving medications they could not access at the pharmacy. 

A little less than six months later, a software update bug saw similar outages to Microsoft and other tech giants. Once again, demonstrating how even a small vulnerability or mistake can lead to widespread disruption. 

The massive incidents and the fallout from the Change Healthcare incident confirm the need to: 

• Assess and test mission critical functions, proactively 
• Supply chain risk is going to get worse; get ahead of third-party risk by increasing visibility, proactively 
• Financial impacts will only increase: leaders need to make cybersecurity a business opportunity, proactively 

2025: Fewer healthcare cyberattacks, but hospitals remain prime target 

Cyberattacks on healthcare systems surged in 2025, led by third-party cyberattacks, software vulnerabilities, and ransomware. In total, 61.5 million records were reported compromised last year from 700 incidents, compared to a whopping 270 million records in 2024 (mostly tied to the Change Health incident).  

The majority of compromised records were exposed, not through the primary provider, but through business associates, health plans, third-party vendors, and other supply chain entities, while most of the hacked data was from outside the EHR. And much like the previous years, a large number of compromised records were caused by ransomware attacks combined with exfiltration and/or extortion. 

Ransomware remains the primary threat facing the healthcare sector, but a growing concern is the rise in supply chain exploitation. Attackers have shifted their primary focus from locking up systems to prioritizing data theft, billing and patient information, and then extorting the victim with downtime and exfiltration, according to the Indiana Executive Council on Cybersecurity. 

Leveraging the lessons learned from their success with the Change Health cyberattack, threat actors are continuing to leverage stolen passwords to steal troves of patient and financial data, before extorting the vendor and connected providers.  

Healthcare providers depend on their supply chain partners for safe, effective patient care. That means, no matter how strong the cybersecurity program, processes, and tools – one weak vendor is enough for an inevitable bad day. 

Moving into 2026, these tactics will likely continue. Healthcare delivery organizations must treat vendors like the mission critical function they are and ensure they enforce multi-factor authentication, reinforce breach notice requirements, and ask for validation they use secure backups. 

This report is part of a year-long retrospective on the evolution of healthcare cybersecurity and ransomware over the last decade of targeted attacks. Follow CHIME and DHX on LinkedIn to make sure you don’t miss the next chapter. Want to check out Part 1? Click here.