According to researchers from Michigan State University, Yale and Johns Hopkins, ransomware is now the leading culprit behind U.S. health data breaches.
Ransomware is malicious software that hijacks a victim's files or systems and holds them hostage for money. At least four Michigan hospitals have been hit in recent years, including Michigan Medicine, which had more than 55,000 patients affected. McLaren Health Care topped the list with 2.5 million records breached.
The study revealed nationwide, hackers have exposed 285 million patient records over the past 15 years.
John Jiang, professor of information systems at Michigan State University and the study's lead author, said cyber crooks are hunting for specific data.
"They're looking for Social Security numbers, driver's license, individual birthdays," Jiang outlined. "Because they could to use this information to commit fraud, or selling on the black market."
Jiang pointed out health care providers don't have a lot of cybersecurity resources, so he said it is crucial to protect the most sensitive information first, for example, setting up separate systems to handle personal information.
In 2024, ransomware was behind just 11% of health care breaches nationwide but it did the most damage, compromising about 70% of all patient records. The new research builds on earlier studies showing internal mistakes, not hackers, caused more than half of health care data breaches, including lost devices and misdirected emails.
Jiang warned such breaches can also pose serious risks to patients' health.
"This person is allergic to a certain medicine," Jiang suggested. "If the hackers mess up the system, or modified whatever information, that could cause a life-changing event."
The researchers urged federal regulators to require hospitals and insurers to report ransomware attacks, change how they measure breach severity to include care disruptions and track cryptocurrency to stop ransom payments.
Ascension Healthcare, which has a major presence in Wisconsin, was hit by a cyber attack in 2024.
