Healthcare Cyberattacks Reach Crisis Level as 92% of Medical Organizations Hit in 2024, New Research Finds

The American healthcare system is experiencing its worst cybersecurity crisis in history, with new research revealing that 92% of healthcare organizations were hit by cyberattacks in 2024, and documented evidence that ransomware attacks are now directly killing patients. The February 2024 Change Healthcare breach alone affected 190 million Americans, nearly one in three people.

According to comprehensive new research commissioned by security news website Cyber Insider, healthcare has become the most targeted critical infrastructure in America, with the FBI reporting 444 cyber incidents in 2024 alone. Unlike other industries, when hospitals fall victim to ransomware, emergency rooms shut down, ambulances are diverted, and patients die from delayed care.

“What we’re witnessing is an unprecedented convergence of sophisticated threat actors targeting our most vulnerable critical infrastructure,” said Alex Lekander, Editor-in-Chief at Cyber Insider. “Healthcare organizations are facing nation-state level attacks with criminal ransomware capabilities, creating a perfect storm that’s literally costing lives. This isn’t just a cybersecurity issue anymore. It’s a national public health emergency.”

Research from the University of Minnesota found that ransomware attacks on hospitals led to 42-67 additional patient deaths, with mortality rates increasing by up to 67% for patients already hospitalized when systems went offline.

Change Healthcare Breach Paralyzes Entire U.S. Payment System

The most devastating example occurred when the BlackCat ransomware group penetrated Change Healthcare, processing 15 billion healthcare transactions annually. The attack brought the entire U.S. healthcare payment system to its knees, forcing 94% of U.S. hospitals to implement emergency protocols and patients with diabetes to ration insulin when pharmacy systems couldn’t process insurance.

“The Change Healthcare incident demonstrated how consolidation in healthcare has created dangerous single points of failure,” explained Lekander. “When hackers compromised their network through a portal that lacked basic multifactor authentication, they essentially held the entire American healthcare system hostage.”

UnitedHealth Group paid a $22 million ransom, but the attackers disappeared in an “exit scam,” with the stolen data later surfacing with another ransomware group, demonstrating that paying ransoms provides no guarantee of resolution.

$11 Billion Crisis Worsens as AI Powers New Attacks

Healthcare data breaches now cost an average of $10.93 million per incident, nearly double any other industry. The Change Healthcare attack alone cost UnitedHealth Group $2.9 billion in 2024. Recovery times are worsening, with 37% of healthcare organizations now taking more than a month to recover from attacks.

“We’re seeing attackers specifically targeting healthcare because they know these organizations will pay quickly to restore life-critical systems,” notes Lekander. “But what’s particularly troubling is the sophistication increase we’re documenting.”

Healthcare’s vulnerability stems from chronic underfunding, with organizations typically allocating just 4-7% of IT budgets to cybersecurity compared to 15% in financial services. This underfunding becomes deadly when combined with legacy systems that can’t be taken offline for updates.

Cybersecurity experts warn that 2025 will bring AI-powered attacks, with CrowdStrike documenting a 442% increase in voice phishing attacks using AI to impersonate hospital executives. Iranian and Chinese threat actors are now using AI for vulnerability research and espionage operations.

“We’re entering a new era where AI is democratizing advanced attack capabilities,” warned Lekander.

Government and Industry Response

The crisis has triggered unprecedented regulatory action, with HHS proposing mandatory multifactor authentication and network segmentation requirements. Congress has introduced bipartisan bills allocating $1.3 billion for hospital cybersecurity improvements.

Despite increased investment — with 55% of healthcare organizations planning to increase cybersecurity spending in 2025 — experts warn incremental improvements won’t be enough.

“This is no longer a question of if the next major attack will occur, but when and whether we’ll be prepared,” Lekander said. “The healthcare industry, government regulators, and cybersecurity community must work together to treat this as the national emergency it has become. We’re literally fighting for patients’ lives, and we’re losing.”