In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. The impacted organizations included:
- 103 federal, state and municipal governments and agencies.
- 759 healthcare providers.
- 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.
- Emergency patients had to be redirected to other hospitals.
- Medical records were inaccessible and, in some cases, permanently lost.
- Surgical procedures were canceled, tests were postponed and admissions halted.
- 911 services were interrupted.
- Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
- Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
- Surveillance systems went offline.
- Badge scanners and building access systems ceased to work.
- Jail doors could not be remotely opened.
- Schools could not access data about students’ medications or allergies.
Other effects of the incidents included:
- Property transactions were halted.
- Utility bills could not be issued.
- Grants to nonprofits were delayed by months.
- Websites went offline.
- Online payment portals were inaccessible.
- Email and phone systems ceased to work.
- Driver’s licenses could not be issued or renewed.
- Payments to vendors were delayed.
- Schools closed.
- Students’ grades were lost.
- Tax payment deadlines had to be extended.
This report examines the cost and the causes of the incidents, discusses the courses of action that should be taken and breaks down the numbers by sector.
Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by Winnebago County’s Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”
We cannot comment on the accuracy of that statement but, if correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. While we believe this overstates the actual costs – a small school district’s recovery expenses are unlikely to run to seven figures – it nonetheless provides an indication of the enormous financial impact of these incidents.
It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.