When employees at Brno University Hospital, one of the main COVID-19 testing facilities in the Czech Republic, arrived on a Tuesday morning in March 2020, they discovered that their entire IT network was locked. screens are dark. Systems are not responding. On that particular day, all planned surgeries were canceled. Patients were transferred to different hospitals in the city. There was not a single door that the attackers had to enter. Their faces were never revealed. This occurred while the same hospital was rushing to process coronavirus tests for a nation in the early stages of a pandemic, which was one of the most perplexing ironies of that already perplexing year.
The attack was not an isolated event. It was a signal that, generally speaking, the healthcare sector has taken a while to fully take in. Between 2020 and 2021, the number of ransomware attacks on healthcare facilities increased from one in three to two in three worldwide. The percentage of attacked institutions that paid the ransom increased from 34 percent in 2020 to 61 percent in 2021. Just 2% of those who paid—sometimes millions of dollars—were able to retrieve all of their data. Healthcare now ranks second globally in terms of both attack frequency and total ransom expenditure, with an average cost of $1.85 million for a single week-long attack. These statistics are not abstract. They depict a system under constant, intensifying attack.
| Topic | Ransomware & Cyberattacks Targeting Hospital AI Diagnostic Systems and Electronic Health Records (EHRs) |
|---|---|
| Scale of Threat (2021) | Two in three global health institutions faced ransomware attacks in 2021 — up from one in three in 2020 |
| Ransom Payment Rate | 61% of attacked health institutions paid ransom in 2021, up from 34% in 2020; only 2% recovered all their data after paying |
| Average Ransom Cost | Health institutions pay an average of $1.85 million for a single week-long ransomware attack (Sophos 2022 Report) |
| EHR Adoption Rate (USA) | Approx. 89% of US office-based physicians use EHRs; over 90% of hospitals of all sizes use some form of EHR system |
| Notable Attack Example | March 2020: Czech Brno University Hospital (a COVID-19 testing facility) — entire IT network shut down, all surgeries cancelled |
| ARcare Breach (2022) | Personal data of 345,000 patients exposed; hacker had undetected network access from January 18 to February 24, 2022 |
| Data at Risk | Names, Social Security numbers, medical diagnoses, prescriptions, insurance info, financial account details — health records cannot be “reset” like a credit card |
| Key Vulnerability Drivers | Growing reliance on AI diagnostic tools, wearable devices, interconnected EHR platforms, and underfunded cybersecurity budgets |
| HIPAA Breach Trend Finding | ARIMA model analysis confirms hacking/IT incidents show a significant upward trend (coefficient 0.84, p < 2.2×10⁻¹⁶) in US healthcare data breaches |
| Public Trust Impact | ~80% of Americans, 81% of Britons, and 83% of Australians have strong reservations about their health records being stored digitally, citing identity theft risk |
| Proposed Defense Approach | Penetration testing by ethical hackers (“pen-testers”), privileged access management (PAM), AI-based data classification, and mandatory breach reporting frameworks (GDPR Article 33, US CIRCIA) |
The target is what has evolved over the past few years and what truly sets the current threat apart from previous ransomware waves. Over the past ten years, hospitals have made significant investments in AI-assisted diagnostic tools, such as machine learning platforms that assist emergency triage teams in prioritizing incoming cases, algorithms that cross-reference patient histories for potential drug interactions, and imaging systems that identify abnormalities in radiology scans. These days, everyday clinical operations incorporate these tools. Additionally, they are networked, connected, and frequently lack adequate security. Hackers are aware of this. It’s possible that no industry in the developed world has amassed so much high-value, interconnected, sensitive data while spending so little on its defense.
Most people are shocked to learn how much health data is worth on the illicit market. It only takes a few minutes to cancel and replace a stolen credit card. A health record that has been stolen cannot. Diagnoses, prescriptions, insurance information, Social Security numbers, and sufficient biographical data to open bank accounts or assume an identity are all contained in it, and none of it is reset or expires. Because of this permanence, health records have sold for more than credit card data in certain markets, according to research published in the journal BMC Medical Ethics. A hospital almost cannot afford to lose anything when a ransomware group encrypts its systems and demands payment for the decryption key, and they are aware of this.
For years, the cybersecurity research community has been warning about EHR vulnerabilities, but their concerns have received little attention. Hacking and IT incidents have shown a statistically significant and consistent upward trajectory, according to a trend analysis published in September 2025 in the Journal of Cybersecurity and Privacy.
The analysis used HIPAA breach data from across the United States and found a coefficient of 0.84 with a p-value so small it is almost certain. Researchers observed that the pattern wasn’t random. The same attack techniques continued to surface, targeting the same vulnerability categories in the same kinds of facilities. That is, predictable. This is either extremely unsettling because it indicates that hospitals have been witnessing the same vulnerabilities being exploited repeatedly and haven’t completely closed them, or it is comforting because predictable threats can theoretically be anticipated.
Reading the incident reports gives the impression that the healthcare industry has been conducting a multi-decade experiment in optimism. The logic goes something like this: digitize everything, connect everything, use AI and data-sharing to improve care, and figure out security as you go. The issue is that “as you go” has now become a reality, and the adversaries on the other side are not disorganized teenagers living in basements; rather, in many documented cases, they are sophisticated criminal organizations with committed teams, tried-and-true toolkits, and a deep understanding of the structure of hospital networks and the locations of gaps.
Researchers and security experts are increasingly arguing that hospitals should adopt the perspective of those who are attacking them. Hiring ethical hackers to examine your own systems for vulnerabilities before malicious ones do is known as penetration testing, and it has long been a standard procedure in the defense and finance industries. It is still uncommon in the healthcare industry, in part due to financial limitations and, it appears, in part because hospital administrators still have an innate aversion to allowing a hacker into your network. It makes sense to have that instinct. Additionally, it is currently a liability.
Hackers demanding ransom for a hospital’s AI diagnostic systems is no longer a theoretical cybersecurity nightmare. It is a documented, frequent occurrence that cancels surgeries, exposes hundreds of thousands of patients’ private health information, and occasionally compels medical professionals to make decisions without the digital tools they rely on. There is technology available to create stronger defenses. There is knowledge of what is required. The institutional will to take action before the next screen goes dark is still catching up, albeit perhaps too slowly.
