The Direct, Indirect, And Future Costs Of Ransomware Attacks On Healthcare Organizations

June 4, 2025

Dr. James Breit, the owner of Plastic Surgery Associates of South Dakota, faced a significant challenge when a hacker locked up nine of his workstations and two servers with ransomware.

Dr. Breit ended up paying $53,000 in ransom to regain access to the data, and he claims that no data was stolen during the incident. However, nearly seven years later, he was hit with a $500,000 HIPAA fine by federal regulators. Dr. Breit expressed frustration and criticized the government for targeting victims of cyberattacks instead of the attackers themselves, highlighting the fact that the fine was 10 times more than what the criminals obtained, despite no patient information being compromised.

The cosmetic surgery practice, which includes two surgeons and seven other clinicians in Central Sioux Falls, was one of two providers that recently agreed to pay a total of $590,000 in fines to the Department of Health and Human Services' Office for Civil Rights (HHS OCR).

This enforcement action was part of the agency's efforts to address ransomware breaches, which have been a top HIPAA priority. Since 2018, the number of large breaches involving ransomware attacks reported to HHS OCR has grown by 264 percent.

Melanie Fontes Rainer, director of HHS OCR, emphasized that ransomware attacks often reveal underlying failures to comply with HIPAA Security Rule requirements, such as conducting risk analyses and managing identified risks and vulnerabilities to health information. These failures can make healthcare providers attractive targets for cyberattacks and lead to breakdowns in the healthcare system.

Under the resolution agreement disclosed by HHS OCR, the medical practice must pay the $500,000 fine and take steps to improve its data security practices. The breach report submitted to the federal agency on July 27, 2017, involved a ransomware incident affecting 10,229 people. Dr. Breit described the ransomware incident as "very frustrating on multiple levels," particularly in terms of the aftermath following the breach report.

Commentary

The above incident involved a surgical practice that suffered one ransomware attack. The fine from HHS OCR was nearly 10 times more than the ransom.

For healthcare professionals, there are many costs and potential losses from a ransomware attack:

  • Ransom Payment: The immediate cost often involves the ransom payment itself, which can vary widely. For example, another healthcare establishment, Change Healthcare, made a $22 million ransomware payment and received nothing in return.
  • Incident Response: The cost of containing and remediating the attack. In 2024, the average cost for containment and remediation was $146,685, involving 132 hours of work by 17.5 staff members.

There are also indirect costs:

  • Operational Downtime: Many organizations are forced to shut down operations to recover from an attack. In 2024, 58 percent of organizations hit by ransomware had to shut down operations, leading to significant revenue losses.
  • Revenue Loss: The proportion of organizations reporting significant revenue loss due to ransomware attacks nearly doubled from 22 percent in 2021 to 40 percent in 2024.
  • Legal Fines: Organizations may face legal fines for failing to comply with regulations. In the above example, Dr. Breit faced a $500,000 HIPAA fine following a ransomware attack.
  • Reputation Damage: The loss of customer trust and potential damage to the organization's reputation can have long-term financial implications.

There are also potential losses:

  • Further Extortion Attempts: Paying the ransom does not guarantee the end of the attack. Of the victims who paid the ransom, 32 percent faced further extortion attempts.
  • Data Leakage: Even after paying the ransom, 40 percent of victims still had their data leaked - increasing the chance of future litigation.
  • Future Attacks: Organizations that pay the ransom are often targeted again – 80 percent of victims who paid the ransom experienced another attack soon thereafter.

The final takeaway is that these costs highlight the importance of healthcare organizations employing robust cybersecurity measures and incident response plans to mitigate the financial and operational impacts of ransomware attacks.

Source: https://www.govinfosecurity.com/doctor-hit-500k-hipaa-fine-feds-worse-than-hacker-a-26706 and https://ransomware.org/blog/the-real-costs-of-ransomware/

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Does Micromanagement Decrease Your Love For Your Job? You Make The Call

A survey shows employee displeasure with strict reporting requirements. You make the call and join the conversation.

Why Passkeys Are Gaining Serious Momentum To Replace Passwords

Passwords are on the decline. Some think passkeys are the new sheriff in town, protecting devices and accounts. We explain.

The Direct, Indirect, And Future Costs Of Ransomware Attacks On Healthcare Organizations

A surgeon's practice is fined by the federal government after suffering a ransomware attack. We examine the circumstances and the potential losses from one attack.

Reasonable Suspicion Of Internal Fraud? Move Quickly To Lower Loss

A senior employee commits a $2.5M fraud. We examine and explain why moving quickly when you reasonably suspect fraud lowers your loss exposure.

What Are The Most Annoying Traits Of Coworkers? You Make The Call

A survey conducted by Kickresume, claims that 85 percent of employees have dealt with annoying colleagues at their workplaces. You make the call and join the conversation.