Ransomware Attacks on Hospitals Are Putting Patients' Lives at Risk

On a Tuesday morning in January, the emergency department at Ascension St. Vincent's Hospital in Birmingham, Alabama, went dark. Not literally -- the lights stayed on -- but every digital system the staff relied on to treat patients simply stopped working.

Electronic health records were inaccessible. Medication dispensing systems froze. Lab results could not be transmitted. Ambulances were diverted to other facilities up to 30 miles away. For 11 days, doctors and nurses reverted to paper charts, verbal orders, and a level of uncertainty that modern medicine was supposed to have eliminated.

The cause was a ransomware attack by a criminal group calling itself Medusa, which demanded $5.2 million in cryptocurrency to unlock the hospital's systems. It was the fourth major hospital ransomware attack in the United States in the first six weeks of 2026.

A Crisis Accelerating Out of Control

Healthcare has become the single most targeted sector for ransomware attacks globally. According to a February report from the cybersecurity firm Sophos, attacks on healthcare organizations surged 74 percent between 2024 and 2025, with the average ransom demand climbing to $4.4 million.

The reasons are grimly logical. Hospitals cannot afford extended downtime. Patient care depends on real-time access to digital systems. And the data held by healthcare organizations -- medical records, insurance information, Social Security numbers -- is among the most valuable on the dark web, fetching prices 10 to 20 times higher than stolen credit card numbers.

"Hospitals are the perfect target," said John Riggi, the American Hospital Association's national advisor for cybersecurity. "They have high-value data, they operate under life-or-death time pressure, and many of them are running on outdated infrastructure they cannot easily replace."

Patients Are Dying

What distinguishes hospital ransomware from attacks on other sectors is the human cost. When a pipeline company or a retail chain is hit, the consequences are financial and logistical. When a hospital is hit, people can die.

A 2023 study published in JAMA Internal Medicine found that Medicare patients admitted to hospitals during ransomware attacks experienced a 20 percent increase in in-hospital mortality compared to patients admitted during normal operations. A University of Minnesota study the following year put the figure even higher for time-sensitive conditions like stroke and heart attack.

The mechanism is straightforward. When emergency departments divert patients, travel times increase. When electronic systems go down, medication errors rise. When surgeries are canceled, conditions deteriorate. The cascading effects are difficult to quantify precisely, but the direction is unmistakable.

"These are not abstract cybersecurity incidents," said Senator Mark Warner, who has introduced legislation to strengthen hospital cyber defenses. "These are attacks that kill Americans."

Why Hospitals Are So Vulnerable

The healthcare sector's vulnerability is partly structural and partly financial. Hospitals operate on thin margins -- the average operating margin for U.S. hospitals was 1.5 percent in 2025 -- and cybersecurity competes for funding against staffing, equipment, and patient services.

Many hospitals, particularly smaller and rural facilities, rely on legacy systems that are decades old and were never designed to withstand modern cyber threats. Medical devices like MRI machines and infusion pumps often run on outdated operating systems that cannot be patched without voiding manufacturer warranties.

The attack surface is enormous. A typical hospital network connects thousands of devices, from bedside monitors to HVAC systems, each representing a potential entry point. And the rapid adoption of telehealth and remote monitoring during the pandemic expanded that surface dramatically.

The Federal Response

The federal government has taken incremental steps. The Department of Health and Human Services published voluntary cybersecurity performance goals for hospitals in late 2024 and proposed tying certain cybersecurity benchmarks to Medicare reimbursement. The Cybersecurity and Infrastructure Security Agency has expanded its free vulnerability scanning program for healthcare organizations.

But critics argue that voluntary measures are insufficient for a crisis of this magnitude. The Health Infrastructure Security and Accountability Act, introduced in the Senate last year, would mandate minimum cybersecurity standards for hospitals and allocate $1.3 billion in funding for upgrades. The bill has bipartisan support but has stalled over disputes about implementation timelines and the burden on small facilities.

The Moral Dimension

Perhaps the most disturbing aspect of the crisis is the calculation made by the attackers themselves. Ransomware gangs have historically claimed to avoid hospitals, framing their operations as purely financial crimes targeting wealthy corporations. That pretense has evaporated.

Several of the groups most active in healthcare attacks, including Medusa, BlackCat, and LockBit affiliates, now openly target hospitals, sometimes timing attacks to coincide with peak patient volumes. Some have threatened to leak sensitive patient records, including mental health and substance abuse treatment data, to pressure payment.

Law enforcement has scored occasional victories -- the FBI disrupted BlackCat's infrastructure in late 2024 -- but the groups reconstitute quickly, often under new names. The economic incentives are simply too powerful.

For hospital administrators navigating razor-thin budgets and relentless operational demands, the question is no longer whether they will be attacked but when, and whether they will be prepared enough to keep their patients alive when it happens.