Cyberattacks are now killing patients not just crashing systems
A new report confirms what many in healthcare have feared: cyberattacks are no longer just an IT problem; they are a direct threat to patient safety. The fourth annual report, titled “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2025,” was released today by the cybersecurity firm Proofpoint and the Ponemon Institute. After surveying 677 U.S. healthcare IT professionals, the findings are stark: 72% of healthcare organizations that were attacked reported a resulting disruption to patient care, up from 69% last year. This matters because “disruption” is a mild word for what’s happening. The report links these attacks to increased complications in medical procedures, longer hospital stays, and even higher patient mortality rates.
The high cost of a security breachFor years, the cost of a cyberattack was measured in dollars. This report, however, measures it in patient outcomes. The data paints a grim picture of a sector under constant siege, with 93% of organizations experiencing at least one cyberattack in the past year, at an average of 43 attacks per organization.
Think of it this way: a hospital’s network going down isn’t just an “operational nuisance.” It’s a direct threat to your health. When systems are compromised, the consequences are immediate and severe:
- 54% of organizations reported an increase in medical procedure complications.
- 53% saw patient stays get longer.
- 29% reported that mortality rates rose as a direct result of the cyberattack.
While the average cost of the most significant attack dropped slightly to $3.9 million, ransom payments are climbing. The average ransom paid by hospitals jumped to $1.2 million, a 60% increase from 2022.
Not all attacks are created equalThe researchers drilled down into which specific types of attacks cause the most harm. It turns out the biggest threat isn’t always the one you hear about most.
- Supply chain attacks: While less common, these were the most likely to impact patient care. When an attack hits a third-party vendor, 87% of hospitals reported a disruption to patient services.
- Business email compromise (BEC): This is when a scammer impersonates a doctor or administrator via email. It was the attack most likely to cause delays in procedures and tests that resulted in poor outcomes (65%).
- Ransomware: This was the top cause of longer hospital stays (67%) and forced hospitals to divert or transfer patients to other facilities (50%).
- Cloud/account compromise: This was the most common attack, hitting 72% of organizations. Alarmingly, 36% of those who experienced this attack reported higher mortality rates.
So, who’s to blame? Hackers are the obvious answer, but the report points to a more complicated internal problem: us.
The study found that 96% of organizations had at least two incidents of sensitive data being lost or stolen in the last two years. The main causes weren’t sophisticated hacks but simple human error: 35% were due to employees failing to follow policies, and 25% were from employees unintentionally sending patient data to the wrong person via email.
This isn’t just a privacy issue; it’s a safety one. In 55% of these data loss incidents, patient care was disrupted. Of that group, a shocking 54% saw increased mortality rates.
Here’s the real twist: the biggest roadblock to fixing this isn’t money. Budgets for IT security are up. The real problem, according to the survey, is a lack of in-house expertise (43%) and an absence of clear leadership (40%).
“This year’s findings are a wake-up call for the healthcare industry,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “The root cause of many incidents lies in human factors—negligence, insider risk, and gaps in cyber awareness.”
The report makes it clear that healthcare organizations must stop treating cybersecurity as a back-office IT issue. As Ryan Witt of Proofpoint put it, “Patient safety is inseparable from cyber safety.”