Ransomware hits healthcare, critical services in January

Ransomware in January was defined by a handful of major attacks, including multiple incidents involving healthcare.

New York Blood Center (NYBC), a major blood donation nonprofit with more than a dozen locations in New York state alone, said in a statement on its website that it detected suspicious activity Jan. 26 that was determined to be the result of a ransomware attack. Its parent organization, New York Blood Center Enterprises, said Jan. 29 that all of its locations -- including centers in states such as Nebraska, Connecticut and New Jersey -- were affected "to some extent."

"We took immediate steps to help contain the threat, and are working diligently with these experts to restore our systems as quickly and as safely as possible. Law enforcement has been notified," the statement read. "We understand the critical nature of our services, and the health of our communities remains our top priority. We remain in direct communication with our hospital partners and are implementing workarounds to help restore services and fulfill orders."

As a result of the attack, some appointments needed to be rescheduled. On Feb. 3, NYBC said it restored all blood collection, with the caveat that "some manual processes remain in place."

OneBlood, another blood donation organization, said last month in letters sent to victims that an attack it experienced last July led to the theft of names and Social Security Numbers. The attack was disclosed last month to regulators in Maine, Massachusetts and Vermont.

Also on the healthcare front, Maryland healthcare organization Frederick Health suffered a ransomware attack Jan. 27 that disrupted its IT systems. The incident has resulted in a patient increase to at least one nearby hospital.

On a dedicated page for the ransomware response, Frederick Health stated that it took immediate steps to help contain the incident, that its facilities remain open to provide care, and that it is utilizing established backup processes to stay operational. However, the healthcare organization added, "there are certain delays in our services at this time."

Tom Kleinhanzl, president and CEO of Frederick Health, said in a Thursday statement published to the page that he was proud of the organization's team for its fast response

"I am proud of our team at Frederick Health. They immediately pivoted to downtime procedures and continue to provide optimum care to patients in the community," Kleinhanzl wrote. "All of our facilities are open and operational with the exception of the Frederick Health Village Lab. Our Emergency Department is open to walk-ins and all EMS transports."

Another major attack came in Matagorda County, Texas, which warned of a network outage on Jan. 24 before formally confirming it suffered a cyberattack later that same day. The county said the outage was caused by a "virus," that the scope was still being determined, and that some limited but noncritical county services were partially affected. Matagorda County Judge Bobby Seiferman issued a declaration of disaster that afternoon.

"We are taking this incident very seriously and are working around the clock with cybersecurity professionals to fully secure our systems and ensure the protection of sensitive information," Seiferman said. "We understand the inconvenience this may cause and are committed to providing transparent updates as we continue to work through this challenge."

Also on Jan. 24, the Texas Tech University Health Sciences Center filed a data breach notification letter with Maine regarding a ransomware attack it suffered last year, with 533,874 individuals affected. The Matagorda attack was not explicitly described as ransomware, though references to a threat actor "impacting various departments and disrupting some operation" is behavior typical of the attack category.

Though attacks on critical services are nothing new, recent cases of ransomware against healthcare, municipal and educational organizations occur against the backdrop of threat actors needing to adapt to a more challenging climate.

Although ransomware actors were busy last year, there are promising trends. Blockchain analysis firm Chainalysis said this week that it saw a 35% decrease in ransom payments in 2024 compared with the previous year. This is the first decrease seen since 2022, something researchers credited to increased law enforcement action and more victims refusing to pay. On the flip side, Chainalysis said improvements on the defender side have forced threat actors to adapt, often starting negotiations within hours of exfiltrating data.

Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, told Informa TechTarget that regardless of the present moment, ransomware actors targeting healthcare and the like is "business as usual."

"At the end of the day, ransomware actors are opportunistic, and as enterprises over the last few years have bolstered their security practices it has left smaller and less equipped entities an easier target," Burns Koven said. "Our analysis of the distribution of ransom payment sizes suggests there is still a variety of entities being targeted, and sadly going after healthcare and nonprofits is business as usual for ransomware."

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.