Do Ransomware Attacks on Hospitals Impact Patient Care?

The study asks whether ransomware attacks on hospitals disrupt care and harm patients. Using a linked dataset of 74 hospital ransomware attacks (2016–2021) combined with Medicare claims, the authors examine changes in hospital operations and patient outcomes during the attacks. They find that hospital volume drops sharply in the first week: ER, inpatient, and outpatient visits fall by 17–24%, and Medicare revenue declines by 19–39%. Most importantly, patients already admitted when an attack begins face a 34–38% increase in in-hospital mortality. These effects are larger during severe attacks and in smaller or less-resourced hospitals.

The Policy Scientist's Perspective

This article addresses a policy problem of growing systemic importance: the operational and clinical consequences of cyberattacks on hospitals. As health systems become more digitally integrated, disruptions of this scale have broad implications for patient safety, market stability, and national preparedness. The article is timely given the rapid escalation of ransomware incidents since 2020. Its contribution is meaningful: it extends prior descriptive research by assembling a high-quality, novel dataset and applying a credible event-study design that approximates causal inference. The Medicare claims data are reliable. The methods are sound, transparent, and appropriate for the constraints of the setting, and the paper stands out as one of the most consequential empirical studies published in the past month.

Full Citation and Link to Article

Neprash, H. T., McGlave, E., & Nikpay, S. (2025). Hacked to pieces: The effects of ransomware attacks on hospitals and patients. Journal of Health Economics, 88, Article 102753. https://doi.org/10.1016/j.jhealeco.2025.102753

Central Research Question

The article asks whether ransomware attacks on hospitals measurably disrupt clinical operations and worsen patient outcomes, and to what extent these disruptions translate into increased mortality among patients who are hospitalized at the moment an attack begins. More broadly, the authors investigate whether these cyberattacks create spillover effects for nearby hospitals, thereby affecting overall market-level capacity and patient flow.

Previous Literature

The study builds on several strands of research. Prior work on capacity strain has examined how shocks such as physician strikes, accreditation surveys, or unplanned surges in emergency admissions influence patient outcomes. These studies generally rely on quasi-experimental variation to estimate whether sudden operational stress produces measurable harm, although findings have been mixed. A second line of research concerns data breaches in health care, which has largely been descriptive due to limited data availability. Earlier investigations documented an increase in breaches over time, especially following hospital mergers, and one quasi-experimental paper suggested reduced hospital quality after a breach. However, these studies typically combine multiple types of breaches—including lost devices, improper record access, and different forms of cyber incidents—which limits the ability to isolate effects specific to ransomware. A small number of California-focused studies examined ransomware specifically but did not investigate mortality. Thus, the existing literature lacked a systematic, causal analysis of ransomware attacks and their operational or clinical consequences. This article advances the field by developing a new dataset with more complete and attack-specific information and applying a more rigorous identification strategy than earlier descriptive accounts.

Data

The authors combine two main data sources. The first is the THREAT database, a novel dataset assembled by the research team that catalogues all ransomware attacks on U.S. health care providers from 2016 to 2021. It incorporates proprietary data from HackNotice, federal breach reports from the HHS Office for Civil Rights, and a structured review of public disclosures and news reports documenting operational disruptions such as ambulance diversion, canceled surgeries, and EHR downtime. The dataset identifies 374 ransomware attacks on health care entities, 74 of which affected 160 hospitals. The second dataset is Medicare fee-for-service administrative claims, covering inpatient, outpatient, and carrier files, along with beneficiary demographic and mortality information. These data allow the authors to measure patient volume, service intensity, and outcomes. Additional hospital-level characteristics come from the American Hospital Association Annual Survey and its Information Technology Supplement. Together, the data form a detailed, multi-level panel capable of tracking hospital behavior and patient outcomes before, during, and after each attack.

Methods

The empirical design rests on staggered event-study and difference-in-differences strategies. To examine operational effects, the authors compare attacked hospitals to matched control hospitals in the same state but outside the affected hospital referral region. They match controls on non-profit status, system membership, and quartile of Medicare volume. Event weeks are defined relative to the date the ransomware attack is discovered—typically the date systems are encrypted or disabled. Hospital fixed effects, week fixed effects, and month-by-year fixed effects help account for unobserved heterogeneity, seasonal patterns, and broad time trends, including the large COVID-19-induced fluctuations in hospital use. Standard errors are clustered at the attack level. A second control group uses hospitals that will experience an attack later but have not yet been attacked at the time of comparison. This specification enhances robustness by relying solely on hospitals that undergo attacks but requires the assumption that hospitals cannot anticipate their attack date.

For market-level effects, analyses shift the unit of observation to health service areas, defining treated markets as those containing an attacked hospital. The design is similar to the hospital-level event study but identifies spillover effects rather than direct effects.

To estimate mortality impacts, the authors use an admission-level difference-in-differences design. “Exposed” admissions include only patients whose hospital stay was already in progress when the attack began. Control admissions are those occurring at the same hospitals within the five weeks preceding the attack and fully completed before it. The outcome is in-hospital mortality, with additional analyses of 7-, 30-, and 90-day mortality and 30-day readmissions. Patient-level covariates include age, sex, race, dual eligibility, chronic condition count, ICU involvement, DRG weight, and indicators for acute cardiovascular diagnoses. This design isolates a population whose admission decisions are not influenced by the attack while still experiencing the operational disruption. Variants of the model test for dose–response effects using continuous measures of exposure (days hospitalized during the attack week) and assess heterogeneity by attack severity, patient acuity, and hospital characteristics.

Findings/Size Effects

Ransomware attacks create immediate and substantial operational disruptions. In the first attack week, ER, inpatient, and outpatient volumes fall by 17–24%, while Medicare revenue drops by 19–39%. Volume normalizes within two to three weeks. The decline in non-elective admissions (26%) reflects ambulance diversion and reduced capacity for acute care, while outpatient imaging revenue falls by 46%, consistent with the heavy reliance of such services on electronic systems. Nearby hospitals absorb displaced ER volume almost completely; market-level ER visits remain stable during attack weeks. Inpatient and outpatient market-level volume decreases are smaller than those at attacked hospitals but still sizable, indicating only partial absorption by neighbors. Case mix shifts modestly, with a 13% reduction in acute cardiovascular admissions.

Mortality impacts are significant. Among patients hospitalized at the moment an attack begins, in-hospital mortality rises by 1.27–1.40 percentage points, a 34–38% relative increase over baseline. There is no evidence of elevated post-discharge mortality or increased readmissions among survivors, which suggests that the adverse effects are concentrated during the acute disruption. Exposure duration matters: each day spent hospitalized during the first week of the attack increases mortality risk by 0.24–0.31 percentage points. Effects are largest for the most severe attacks (those involving ambulance diversion or canceled surgeries), for patients requiring complex care (ICU patients or those with multiple chronic conditions), and for admissions at small, independent hospitals or those with comprehensive EHR systems. The authors find no mortality spillovers at neighboring hospitals, despite their increased ER volume. Scaling the results, the authors estimate that ransomware attacks caused approximately 69–76 additional Medicare deaths over the six-year study period.

Conclusion

The study provides the first systematic evidence that ransomware attacks on hospitals produce not only operational disruptions but also clinically significant increases in mortality among patients exposed to the attacks while hospitalized. The results underscore that the risks posed by ransomware extend beyond financial losses or administrative inconvenience; they materially affect patient survival during periods of acute system failure. The findings also indicate that ransomware attacks create measurable spillovers in hospital markets, especially through redistribution of ER patients. While the analysis focuses on Medicare fee-for-service beneficiaries, the underlying mechanisms suggest broader policy relevance. The event-study design and high-quality dataset allow credible causal inference in a setting where randomized designs are not feasible. The study therefore contributes meaningfully to the literature on capacity strain, cybersecurity in health care, and the operational fragility of increasingly digital medical environments.