Abstract
This case-control study analyzes disruptive ransomware attacks against hospitals in California from 2014 to 2020 and emergency department (ED) and inpatient admissions in attacked and nearby hospitals.
Ransomware attacks on hospitals involve hackers encrypting computer networks and demanding payment for their restoration, potentially disrupting the delivery of health care services. These incidents have been increasing in the US, especially since the COVID-19 pandemic.1,2 Between 2016 and 2021, more than 370 attacks occurred on US clinics, hospitals, and other health care organizations; the number of attacks doubled over this time.1 Evidence on the health care consequences of these attacks is limited. A study of an attack on 4 facilities found a 15% increase in emergency department (ED) visits in nearby facilities.3 We analyzed disruptive ransomware attacks against hospitals in California from 2014 to 2020 and ED and inpatient admissions in attacked and nearby hospitals.
Methods
We analyzed the 2014 to 2020 ED and Patient Discharge Data from the California Department of Health Care Access and Information, which contains discharge-level information on all patient visits in licensed hospitals. Analyses of secondary deidentified data are exempt from institutional review board approval by William Paterson University. The study followed the STROBE reporting guideline. Data were aggregated to the facility-week level, and the outcomes were weekly ED visits and inpatient admissions (hospital admissions involving at least 1 overnight stay). First, we compared weekly outcomes in facilities targeted by ransomware attacks (attacked hospitals) to those not targeted before and after the attacks using a 2-stage difference-in-differences regression model weighted by the number of hospital beds in an event study framework.4,5 This approach accounted for preexisting differences across hospitals and statewide outcome changes. We controlled for hospital teaching status, the number of intensive care units, critical care units, neonatal intensive care units, and operating rooms. We report weekly differences in percentage changes in the outcomes for 8 weeks before and 8 weeks after the attack with 95% CIs (adjusted for facility-level clustering).
Second, we identified hospitals within the same Hospital Service Area (HSA) as the attacked hospital. We compared outcomes of hospitals near the attacked hospital (hospitals within a 4-mile radius) or, if there were none within 4 miles, the 2 closest hospitals. We compared these hospitals with all other unattacked hospitals in the HSA.
To identify ransomware attacks, we used the US Department of Health and Human Services breach portal, cross-checked with online media coverage to verify and provide additional information on the attacks. We included attacks that created a disruption in care delivery based on information provided in the incident description, ultimately excluding 1 attack that did not affect the electronic medical record servers. Analyses were performed with Stata software, version 17.0 (StataCorp LLC), using 95% CIs and a 2-sided P < .05 to define statistical significance.
Results
From 2014 to 2020, 82 359 450 ED visits and 23 475 497 inpatient admissions occurred in California. We identified 8 ransomware attacks that led to disruptions in 15 hospitals; 355 hospitals were unattacked. In attacked hospitals, there were a mean (SD) of 740.90 (360.18) ED visits and 182.25 (127.71) inpatient admissions in the week before the attack. In the week after the attack, ED visits decreased by 8.10% (95% CI, −14.40% to −1.80%) and inpatient admissions decreased by 8.16% (95% CI, −19.92% to 3.60%), increasing to 16.21% (95% CI, −26.58% to −5.84%) (118.54 visits) and 16.62% (95% CI, −31.28% to −2.00%) (31.03 admissions), respectively, in the second week (Figure; Table). These decreases returned to preattack levels within 8 weeks.
Figure. Ransomware Attacks and Weekly Emergency Department (ED) Visits and Inpatient Admissions in Attacked and Nearby Unattacked Hospitals in California, 2014-2020.
A and B, the relative changes in ED visits and inpatient admissions (in logs) in hospitals with ransomware attacks (n = 15) compared with unattacked hospitals (n = 355). C and D, The relative changes in ED visits and inpatient admissions (in logs) in nearby unattacked hospitals (n = 17) compared with other unattacked hospitals (n = 20) in the same Hospital Service Area as the attacked hospital. Attacked facilities were excluded in the C and D analysis. Analyses are based on a 2-stage difference-in-differences regression model weighted by the number of total hospital beds. The 95% CIs are adjusted by clustering at the facility level and account for the 2-step process. Data are aggregated to the facility-week level. Inpatient admissions are defined as admissions involving at least 1 overnight stay. The number of intensive care units, coronary care unit, neonatal intensive care unit, and operating rooms (all in logs) and a binary variable indicating that the hospital was a teaching hospital were included as explanatory variables in addition to the facility and year-week fixed effects. Shaded areas indicate 95% CIs. The 2-stage difference-in-differences naturally normalizes mean pretreatment differences to 0. We only show the 8 weeks prior to the attack so the average of the displayed preperiod estimates in the figures may not be equal to 0.
Table. Ransomware Attacks and Weekly ED Visits and Inpatient Admissions in Attacked and Nearby Unattacked Hospitals in California, 2014-2020a.
| Attack timeframe | Change from baseline, % (95% CI) | |||
|---|---|---|---|---|
| Attacked hospitals vs all unattacked hospitals | Nearby unattacked hospitals vs unattacked hospitals in same hospital service area | |||
| ED visits (n = 109 512) | Inpatient admissions (n = 128 142) | ED visits (n = 7852) | Inpatient admissions (n = 12 428) | |
| Week of attack | −3.24 (−10.49 to 4.01) | 1.75 (−6.79 to 10.29) | 1.41 (−3.56 to 6.37) | −2.15 (−6.42 to 2.12) |
| Implied absolute change | −22.23 | 3.65 | 11.23 | −5.01 |
| 1 Week after | −8.10 (−14.40 to −1.80)b | −8.16 (−19.92 to 3.60) | 4.11 (−1.71 to 9.93) | 0.12 (−5.69 to 5.93) |
| Implied absolute change | −59.27 | −14.60 | 44.92 | 0.00 |
| 2 Weeks after | −16.21 (−26.58 to −5.84)b | −16.62 (−31.28 to −1.97)b | 6.74 (0.13 to 13.35)b | −1.00 (−6.47 to 4.47) |
| Implied absolute change | −118.54 | −31.03 | 78.61 | −2.50 |
| 3 Weeks after | −7.31 (−14.69 to 0.07) | −13.74 (−25.86 to −1.62)b | 7.09 (0.47 to 13.71)b | 1.38 (−4.36 to 7.11) |
| Implied absolute change | −51.86 | −25.55 | 78.61 | 2.50 |
| 4 Weeks after | −1.67 (−7.62 to 4.27) | −11.27 (−20.82 to −1.71)b | 6.85 (0.48 to 13.21)b | −1.57 (−10.52 to 7.38) |
| Implied absolute change | −14.82 | −20.08 | 78.61 | −5.01 |
| 5 Weeks after | −3.99 (−15.49 to 7.51) | −15.96 (−39.01 to 7.09) | 6.74 (−0.03 to 13.50) | 0.08 (−5.88 to 6.04) |
| Implied absolute change | −29.64 | −29.20 | 78.61 | 0.00 |
| 6 Weeks after | 2.46 (−3.70 to 8.61) | −8.12 (−19.59 to 3.36) | 5.40 (−0.35 to 11.15) | −2.51 (−10.06 to 5.03) |
| Implied absolute change | 14.82 | −14.60 | 56.15 | −7.51 |
| 7 Weeks after | −0.19 (−8.87 to 8.48) | −3.40 (−13.21 to 6.41) | 2.17 (−2.72 to 7.06) | −1.89 (−9.83 to 6.05) |
| Implied absolute change | −0.00 | −5.48 | 22.46 | −5.01 |
| ≥8 Weeks after | −0.68 (−3.68 to 2.32) | −4.29 (−13.86 to 5.28) | −5.52 (−21.27 to 10.23) | −1.22 (−10.06 to 7.63) |
| Implied absolute change | −7.41 | −7.30 | −67.38 | −2.50 |
| R2 | 0.96 | 0.90 | 0.98 | 0.98 |
| Mean (SD) outcome in week preattack | 740.90 (360.18) | 182.25 (127.71) | 1123.00 (662.57) | 250.35 (188.57) |
Abbreviation: ED, emergency department.
Each row reports the relative change between ransomware attacks and the corresponding outcome for the week of the attack and the following weeks based on a 2-stage difference-in-differences regression model weighted by the number of total hospital beds. The implied absolute changes in outcomes represent the percentage changes multiplied by the preattack mean. The 95% CIs are adjusted for clustering at the facility level and for the 2-step process of the estimation procedure. Data are aggregated to the facility-week level. The number of ED visits and inpatient admissions are analyzed in logs. The number of intensive care units, critical care units, neonatal intensive care units, and operating rooms (all in logs) and a binary variable indicating that the hospital was a teaching hospital were included as explanatory variables in addition to the facility and year-week fixed effects.
Statistically significant at P = .05.
There were 17 unattacked nearby hospitals and 20 other unattacked hospitals in the same HSA as the attacked hospital. In unattacked nearby hospitals, increases were observed in ED visits up to 4 weeks (ie, reaching 7.10% in week 3 [95% CI, 0.50%-13.71%]) (78.61 visits). No statistically significant changes were observed in inpatient admissions in nearby hospitals.
Discussion
This study found a temporary decrease in ED visits and inpatient admissions in hospitals targeted by ransomware attacks and a temporary increase in ED visits in unattacked nearby hospitals in California, suggesting that the consequences of such attacks are broader than the targeted hospitals. Limitations include the unavailability of post-2020 data and that 1 attack that was not disruptive was excluded, so the analysis might modestly overstate harms of ransomware attacks. In addition, potential adverse health outcomes among patients were not addressed.
Section Editors: Kristin Walter, MD, and Jody W. Zylke, MD, Deputy Editors; Karen Lasser, MD, MPH, Senior Editor.
Data Sharing Statement
References
- 1.Neprash HT, McGlave CC, Cross DA, et al. Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum. 2022;3(12):e224873-e224873. doi: 10.1001/jamahealthforum.2022.4873 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.Miller M. The mounting death toll of hospital cyberattacks. Politico. December 28, 2022. Accessed March 15, 2024. https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638
- 3.Dameff C, Tully J, Chan TC, et al. Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Netw Open. 2023;6(5):e2312270. doi: 10.1001/jamanetworkopen.2023.12270 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4.Miller DL. An introductory guide to event study models. J Econ Perspect. 2023;37(2):203-230. doi: 10.1257/jep.37.2.203 [DOI] [Google Scholar]
- 5.Borusyak K, Jaravel X, Spiess J. Revisiting event study designs: robust and efficient estimation. Rev Econ Stud. Published online February 6, 2024. doi: 10.1093/restud/rdae007 [DOI] [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.
Supplementary Materials
Data Sharing Statement
