In part one of our healthcare series, we addressed the immediate aftermath of a cyberattack—the moments when systems go down, chaos ensues, and care teams are forced into disaster mode. This installment focuses on how cyberattacks impact both patient and financial outcomes and why paying a ransom or relying on cyber insurance is not enough.
The Tragedy of Spring Valley: A Warning for Rural Healthcare
About two hours southwest of Chicago lies Spring Valley, Illinois—a quintessential small American town with its classic water tower, quaint Main Street, and local high school football stadium. But beneath this familiar facade, Spring Valley carries a devastating legacy: it's believed to be the first U.S. town where a hospital closed directly because of a ransomware attack.
In 2021, international cybercriminals infiltrated St. Margaret's systems with ransomware, paralyzing its operations. While the clinical staff valiantly attempted to continue providing care using paper records and manual processes, the attack completely halted the hospital's ability to submit insurance claims.
For a rural hospital already operating on razor-thin margins, this extended interruption in billing capabilities proved fatal. By 2023, just two years after the cyberattack, St. Margaret's was forced to permanently close its doors. Just two years later, Alpha Wellness and Alpha Medical Centre in Alpharetta, Georgia faced a similar fate, shuttering barely two months after being hit by ransomware.
Rural healthcare in America has been struggling for years. According to the University of North Carolina, more than 196 rural U.S. hospitals have closed since 2005 and a recent report shows that in 10 states, more than 50% of rural healthcare providers are at risk of closing permanently this year.
The story of St. Margaret's Health illustrates how cybersecurity has evolved from an IT concern to an existential threat for healthcare providers. For decades, the hospital had been the cornerstone of healthcare in this rural community, providing everything from emergency services to obstetric care.
But the impact of the Spring Valley story resonates well beyond rural communities: the new, digital threat is a crisis for any healthcare system, regardless of location. We are facing massive disruptions associated with large-scale cyber events, with costs as high as hundreds of millions of dollars, as we recently explored in a previous blog.
Anatomy of a Hospital Cyber Attack
So how could a cyber attack inflict such financial pain that it caused the shuttering of an entire hospital? The short answer is that the damage caused by the attack is not limited in duration. Indeed, the effects of an attack last far beyond the operational disruption of the initial event, typically unfolding over months. Take a look at this timetable:
Immediate Impact (First Six Months):
Hospital operations dramatically disrupted with 20-40% reduction in patient volumes
Elective procedures deferred or canceled
Reduced testing and imaging capabilities result in fewer tests ordered
Delayed billing resulting in higher denial rates
Increased staff overtime and burnout
High overtime costs
Expensive forensic investigation
Mid-term Impact (Next 12 Months):
Costly cybersecurity improvements
Patient breach notification costs
Regulatory fines with federal and state regulators
Attorney fees and mounting litigation costs
Litigation stemming from medical errors (studies show a 30% increase in medical errors when systems are down)
An average 64% increase in marketing/advertising costs to rebuild the reputation of the institution
Long-term Recovery (Years 2-5):
Civil suit settlements
Class action settlements
Insurance premium increases
Patient loss (6-7% following a major cyber incident)
Lost contract revenue with partners
Increased employee attrition
Difficulty attracting new talent
Increased cost to raise capital
To avoid both the deterioration of patient care (and these existential financial impacts), healthcare executives might consider paying ransom to the attackers or relying on cyber insurance to resolve these issues.
But it’s not quite that simple.
Ransomware: To Pay or Not to Pay
Modern cyber attacks have evolved beyond mere encryption. Today's attacks almost always involve data theft and extortion, where criminals threaten to publish sensitive patient information. Some attackers go so far as to contact individual families, threatening to release embarrassing diagnoses or compromise children's future employment prospects, or actually doing so in cases like the Vastaamo data breach.
This "pay-versus-publish" dynamic transforms the decision from a technical recovery issue into a matter of institutional reputation and patient privacy.
Law enforcement agencies and cybersecurity experts consistently advise against paying ransoms. Each payment directly finances criminal enterprises, funds development of more sophisticated attack tools, potentially supports terrorism, and perpetuates a destructive cycle harming countless other organizations
Despite the pressure to pay, evidence overwhelmingly shows ransoms are counterproductive:
Payment Doesn't Guarantee Recovery: Research from Sophos reveals that 92% of companies that paid ransoms didn't get all their data back, with only 29% recovering even half of their affected data
Higher Overall Costs: Organizations that pay ransoms often face higher total costs than those who recover through other means
Risk of Repeat Attacks: Studies show that nearly 80% of ransom-paying victims are targeted again, often by the same criminals who now have intimate knowledge of their systems
Ethical Problems: Each payment directly finances criminal enterprises, funds development of more sophisticated attack tools, potentially supports terrorism, and perpetuates a destructive cycle
The Limitations of Cyber Insurance
Cyber insurance provides partial financial assistance for ransomware attacks and breaches, but often excludes the major costs like lost revenue, regulatory fines, and reputational damage previously mentioned. Coverage may be denied for security negligence or contain strict exclusions, leading to legal disputes. Insurance payouts don't help affected patients or recover their broken trust in the organization.
Rather than replacing security measures, the insurance industry is promoting cyber resilience by requiring protective measures like immutable backups, endpoint detection and response (EDR), and multi-factor authentication (MFA)—acknowledging that preventing incidents and enabling rapid recovery benefits both organizations and insurers by reducing criminal funding and future claims.
The Need for Cyber Resilience
The true path to safety lies not in reactive payments or insurance, but in fundamentally shifting our mindset from preventing attacks to building the capacity to withstand and rapidly recover from them. This, in essence, is cyber resilience.
Cyber resilience in healthcare requires:
Early detection of suspicious activity through continual, automated threat monitoring
Immutable backups that cannot be damaged or disabled by attackers
Rapid recovery automation for systems critical to continuity of care
Regular, automated testing of recovery procedures