Ransomware attacks in healthcare on the rise

The threat of ransomware is rapidly evolving in not only sophistication but prevalence. Most recently, details have come to light, exposing the extent of the ransomware attack against US-based Magellan Health affecting over 364,000 individuals. Although ransomware attacks have been an emerging trend for several years, the instances of such attacks have increased dramatically over the past 12 months.



Ransomware is a type of malicious software or malware that is used to encrypt files owned by a victim until a form of ransom is paid. This type of attack exploits both technical and operational vulnerabilities, typically using social engineering techniques via email. This can include focused attacks termed spear phishing. While traditional phishing attacks are non-personalised attempts to gain information or to place malware, spear phishing is a targeted attack. In many instances, the target of such an attack may be well researched to assist the attacker in crafting a convincing request. This may involve a seemingly innocuous email received from an account purporting to be a trusted party such as a colleague or customer.

Trilateral offers vulnerability scanning and penetration testing services to identify weaknesses in networks and/or applications that risk exposing the system to threats by malicious actors.


Magellan Health breach

In July 2020, the extent of the April attack on Magellan Health was released. Data under the control of Magellan Health was exposed after an unauthorised actor gained access to Magellan’s system through a spear phishing email. Using stolen login details, the attackers were then able to gain access to the organisation’s network servers. After a full investigation into this breach, it was identified that records relating to almost 365,000 patients and employees were exposed. These records included sensitive information, such as medical files and social security numbers.


Rapidly growing threat

According to a recent report by Corvus Insurance, ransomware attacks against healthcare providers have increased by 75% in 2019 alone. Corvus predicts that these figures are set to almost double in 2020, which is reflected in the data released by the US Department of Health and Human Services.

The US Department of Health and Human Services data shows that in 2018 only 35 breaches were reported by healthcare companies caused by hacking and ransomware. This figure rose to 193 in 2019 and at the midpoint of 2020, this figure currently sits at 144. Year on year, the percentage of incidents, and in particular incidents involving email, has steadily increased.

Reported Hacking/Ransomware Breaches

US Department of Health and Human Services

Hacking/Ransomware incidents35193144
% involving email51%59%61%


The targeting of healthcare in crisis

Last month, we spoke with Philipp Amann, Head of Strategy of Europol’s European Cybercrime Centre (EC3) who highlighted how cybercriminals are exploiting the COVID-19 crisis and in particular targeting the healthcare sector. It is clear that the ramping up of reported attacks in 2020 can be linked to the additional vulnerabilities caused by the pandemic.

The threat to healthcare operations exists partly due to the extremely sensitive and vital nature of the data held. If this data becomes unavailable or disclosed, this may lead to consequences of great severity to the data subjects concerned.

Although the healthcare sector is facing numerous challenges going forward, due to the rapidly increasing numbers of attacks, we advise that some simple but important measures can be implemented and developed. These include:

  • a rapid response plan;
  • network vulnerability scanning technologies;
  • robust email scanning and anti-virus software;
  • two-factor authentication; and
  • (most critically) sufficient and effective training for all staff.

Trilateral offers audit and assessment, data protection impact assessment, and training services to help your organisation identify compliance gaps and facilitate a data protection culture to mitigate risk and safeguard systems from intrusions and errors.



While it is not possible to eliminate the risk of cyberattacks, reviewing and implementing preventative measures at this time is advisable, considering the level of risk and the value of the data healthcare organisations process. Many of the preventative measures listed above can be implemented without disruption to service delivery and at a relatively low cost, considering the potential impact of large-scale ransomware attacks.

However, the most impactful defence against this type of attack are your people. An appropriately delivered training and awareness initiative can assist staff in identifying potential ransomware attacks in their day to day activities. For more information on how Trilateral can support you in implementing preventative measures during these challenging times or if you are seeking assistance in responding to a breach, please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.


Stacey Williams, Data Protection Advisor at Trilateral Research

‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.