UC San Diego’s Center for Healthcare Cybersecurity Protects Patients and Keeps Hospitals Running

UC San Diego’s Center for Healthcare Cybersecurity Protects Patients and Keeps Hospitals Running

When Hackers Target Hospitals: How UC San Diego Scientists Are Building a Cyberattack First-Aid Kit

A new mobile system can restore critical hospital operations in hours after ransomware attacks, as research reveals the deadly toll cybercrime is taking on American healthcare—and how the digital revolution itself has created new vulnerabilities

The basement of UC San Diego's medical simulation center has become an unlikely proving ground for one of healthcare's most urgent challenges. Here, physicians in scrubs work alongside computer scientists to deploy what they call a "hospital IT system in a box"—a rapidly deployable network designed to keep patients safe when cyberattacks shut down the digital infrastructure modern medicine depends on.

Project CRASHCART, as the system is known, represents a radical response to an escalating crisis that claimed an estimated 42 to 67 Medicare patient lives between 2016 and 2021, according to research from the University of Minnesota School of Public Health. In 2024 alone, 444 reported incidents impacted healthcare, comprised of 238 ransomware threats and 206 data breach incidents, with 259 million Americans having their personal health information compromised.

The stakes have never been higher. In 2024, the average ransom demand was more than $3.5 million, with $133.5 million in confirmed payments to ransomware groups, while the number of patient records affected by protected health information data breaches increased from 6 million in 2010 to 170 million in 2024.

"Ransomware and other attacks on national critical healthcare infrastructure are a serious patient safety problem," says Jeff Tully, an anesthesiologist and co-director of UC San Diego's Center for Healthcare Cybersecurity. "They can disrupt the care of patients with time-sensitive medical conditions like stroke, heart attack, or sepsis and lead to worse outcomes."

The Digital Revolution's Dark Side

The very technologies that have revolutionized healthcare—electronic health records, computerized prescribing systems, and wireless networks—have simultaneously created unprecedented vulnerabilities. The digitization of medical records has changed the landscape of healthcare systems worldwide, with EHRs requiring less manpower, time, and physical storage than paper-based records, but the ease of access is accompanied by rising cybersecurity threats and challenges.

EHRs are valuable to cyber attackers because of the Protected Health Information they contain and the profit they can make on the dark web or black market, with stolen healthcare data the most valuable, with average breach incident costs totaling $9.23 million in 2021. Falling victim to a phishing scam made up most of the number of EHRs affected, with 221 incidents directly attributed to phishing scams and 119 reported breaches related to ransomware.

The healthcare industry began integrating electronic health records before the internet matured, leading to foundational weaknesses that persist today. Many healthcare facilities use off-the-shelf operating systems like Windows, Linux, and Unix, making them vulnerable to the same attacks that target regular computers. All devices using the same operating systems can be infected with the same viruses, thereby increasing the scope of security risks.

The E-Prescribing Paradox

Electronic prescribing systems, mandated in 35 states and credited with reducing medication errors, have introduced their own security challenges. Information contained in an e-prescription is considered Protected Health Information under HIPAA, and providers must hold their Business Associates accountable to safeguard this information, with some industry stakeholders fearing that federal and state regulations are outpacing the ability of providers to successfully and safely follow them.

Centralized e-prescription systems are vulnerable to Distributed Denial of Service (DDoS) cyber-attacks, with many researchers and medical institutions arguing that there is a loss of patient privacy and security when using centralized systems. The challenges of e-prescription systems consist primarily of security and privacy concerns, the lack of interoperability between various systems, and the high cost to implement some e-prescription systems, with e-prescriptions containing sensitive patient data that could become compromised.

The systems can also introduce new types of errors. A study found that 42.4% of 1,164 prescribing errors were system-related, with electronic prescribing systems generating new tasks for prescribers that create additional cognitive load and error opportunities.

The Drone Threat: WiFi Networks Under Siege

A particularly insidious vulnerability has emerged from an unexpected quarter: drones equipped with wireless hacking tools. Drones are predominantly used to target guest Wi-Fi connections and short-range Wi-Fi, Bluetooth and other wireless devices. Such connections are not protected due to current security measures, which assume that no one could get close enough to compromise them or to access internal networks via wireless signals.

In a real-world attack on a U.S. East Coast financial firm in 2022, modified DJI drones carrying Wi-Fi Pineapple devices were discovered on the building's roof. The Phantom drone had been used days prior to intercept a worker's credentials and Wi-Fi, with this data later hard coded into tools deployed with a second Matrice drone that targeted the company's internal systems.

Hospitals or clinics that rely on wireless for staff tablets, scanners, or telemedicine face particular risks. A single misconfigured access point can let attackers manipulate medical records or intercept patient data, with HIPAA demanding robust WPA2/WPA3 usage, network segmentation isolating guest Wi-Fi from medical device VLANs, and logging of all access.

Gateway devices used between systems and patients are at risk, as attackers can perform man-in-the-middle attacks, steal the gateways, or create "rogue gateways," essentially masquerading as the real gateways to intercept data without authorization.

The Human Cost of Cyberattacks

The deadly consequences of healthcare ransomware attacks have been documented in both research and tragic legal cases. Between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients, with the true number likely even larger when including patients with other types of health insurance coverage.

During a ransomware attack, mortality rates increase from roughly 3 out of 100 hospitalized Medicare patients to 4 out of 100, with even higher rates for patients at hospitals experiencing the most severe attacks (mortality rate increase of 36-55%) and for patients of color (increase of 62-73%).

The first suspected ransomware-related death in the United States became the subject of a landmark lawsuit. In July 2019, Teiranni Kidd arrived at Springhill Medical Center in Mobile, Alabama to deliver her daughter while the hospital was struggling with a ransomware attack. The hospital's computer systems were disabled for nearly eight days, patient health records were inaccessible, and fetal monitoring equipment was compromised. The baby was born with severe brain damage after the umbilical cord wrapped around her neck—a condition that might have been detected earlier with functioning monitoring systems—and died nine months later.

The lawsuit alleged that doctors and nurses failed to conduct multiple tests that would have revealed the umbilical cord problem due to the distraction of the ongoing ransomware attack, with the number of healthcare providers who would normally monitor labor and delivery substantially reduced.

Internationally, Germany documented a similar tragedy in 2020 when a female patient from Düsseldorf requiring critical care was transferred 19 miles away to another hospital after a September 9 ransomware attack disabled systems at Düsseldorf University Hospital. Though investigators ultimately concluded the patient's severe medical condition would have proven fatal regardless of the delay, the incident highlighted the life-or-death stakes of hospital cyberattacks.

A Record-Breaking Crisis

The healthcare sector has become hackers' primary target. In 2024, healthcare made 592 regulatory filings of reported 'hacks' of protected health information to the Department of Health and Human Services Office of Civil Rights, with 190 million of those records compromised in the Change Healthcare ransomware attack alone.

The Change Healthcare attack in February 2024 represented an unprecedented national-scale disruption. Change Healthcare processes 15 billion healthcare transactions annually—touching 1 in every 3 patient records—including insurance eligibility verification, drug prescriptions, claims transmittals and payment. The attack by the Russian ransomware group ALPHV BlackCat encrypted and incapacitated significant portions of the company's functionality.

A March 2024 survey of nearly 1,000 hospitals found that 74% reported direct patient care impact, including delays in authorizations for medically necessary care, while 94% reported financial impacts and 33% reported disruption to more than half of their revenue. Change Healthcare paid a $22 million ransom to prevent the release of stolen data only for the ransomware group to pull an exit scam, with the affiliate behind the attack providing the data to RansomHub group, which tried to get a further ransom payment. By October 2024, losses from the attack had reached $2.9 billion.

The HIPAA Enforcement Response

Federal regulators have intensified enforcement in response to the crisis. The HHS Office for Civil Rights closed 22 investigations of data breaches and complaints with financial penalties in 2024, collecting $12,841,796 in penalties, with the average HIPAA enforcement penalty in 2024 topping $554,000.

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 374,321 HIPAA complaints and has initiated over 1,193 compliance reviews, resolving ninety-nine percent of these cases. However, risk analysis failures are by far the most commonly identified HIPAA Security Rule violation, with OCR launching a new enforcement initiative focused specifically on this compliance gap.

The scope of violations extends beyond ransomware. Covered entities are required to report breaches of unsecured protected health information within 60 days, and OCR finds out about HIPAA violations through breach reports, patient complaints, and whistleblower protection for reporting non-compliance. Criminal penalties can be severe: offenses committed with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.

Project CRASHCART: A Hospital in a Suitcase

Against this backdrop, UC San Diego's innovative response offers hope for rapid recovery. Project CRASHCART aims to compress hospital downtime from weeks to hours. The system—which fits into several large cases—includes laptops, networking equipment, and a satellite internet connection that generates a private 5G cellular network.

During a recent test deployment, the team unspooled 150 feet of ethernet cable across campus to a satellite antenna, then connected it to equipment in the simulation center basement. Within 42 minutes, they had a functioning network capable of supporting multiple simultaneous video conferences and real-time medical data transmission.

"We can bring Project CRASHCART to hospitals that have been affected by ransomware and set up many of the same types of technologies that doctors and nurses are using to safely take care of patients, including electronic health records, radiology, and laboratory systems," Tully explains. "The project has the potential to reduce hospital downtime from weeks or months to days or even hours."

Research from the Center for Healthcare Cybersecurity has documented the ripple effects of hospital cyberattacks. During a months-long ransomware attack on one hospital, two nearby emergency departments experienced dramatic spikes in patient volume, ambulance arrivals, and wait times. Most alarmingly, the chance that cardiac arrest patients at these neighboring hospitals would survive with favorable neurological outcomes decreased by a factor of 10.

"Our research has shown that even a single attack can have regional impacts, overwhelming nearby hospitals with an influx of patients," says Christian Dameff, the center's co-director and an emergency medicine physician. "It's not just a local issue—it's a national security concern."

Challenging Conventional Wisdom

The center's research extends beyond emergency response systems. In a groundbreaking randomized controlled trial involving nearly 20,000 UC San Diego Health employees, researchers tested whether standard cybersecurity awareness training actually works. Participants received 10 simulated phishing attempts via email over eight months.

The surprising result: employees who had recently completed cybersecurity training were no more likely to identify phishing attempts than their untrained colleagues. For some types of phishing content, they were actually less likely to catch the deception.

"We're trying to bring more academic rigor to healthcare cybersecurity, constructing trials that are designed to prove evidence of benefit, in the same way that you would evaluate a new drug or a new surgery," Dameff says. The findings suggest that institutions should focus less on training individuals and more on systemic protections like two-factor authentication and password managers.

In 2024, 70% of affected healthcare organizations reported negative impacts on patient care because of cyberattacks, while 28% of organizations reported higher patient mortality due to cyberattacks, a 21% increase compared to the previous year. Additionally, 56% of organizations experienced delays in procedures or tests caused by cyberattacks in 2024, while 64% of ransomware attacks resulted in procedural delays.

The Broader Attack Landscape

Forescout's analysis of 734 data breaches in 2024, each affecting more than 5,000 individuals, reveals a staggering average of over two incidents daily, with ransomware as the top cause. LockBit stands out as the most active ransomware group, implicated in nearly 19% of analyzed breaches, with ALPHV/BlackCat and Clop each involved in around 10 to 11% of cases.

The financial impact is staggering. There were 181 confirmed ransomware attacks on healthcare providers in 2024 involving 25.6 million healthcare records, with an average ransom demand of $5.7 million and average ransom payment of $900,000.

Rural hospitals face particular vulnerability. "They often lack the resources or technologies that can help keep them safe and secure," Tully says. "When we think about resiliency, you're only as safe as the weakest link in the chain."

Medical Device Vulnerabilities

The center also investigates security weaknesses in internet-connected medical devices. Research has documented troubling vulnerabilities: pacemakers that can be hacked to deliver inappropriate shocks, insulin pumps that could be manipulated to release dangerous doses, and countless other critical devices running vulnerable software.

This spring, Dameff testified before the U.S. House Oversight and Investigations Committee about the cybersecurity risks of legacy medical devices—older equipment no longer supported by manufacturers or running outdated software.

Training for the Digital Disaster

The center has developed simulation exercises that force clinicians to problem-solve while caring for critically ill patients with no access to electronic medical records, imaging, or communication systems. These exercises help medical personnel recognize when technology failures or cyberattacks may be affecting patient care.

A separate study used tabletop simulations with hospital leadership, testing their response to a hypothetical ransomware attack. The results revealed that healthcare institutions are far less prepared for cybersecurity threats than for natural disasters or epidemics.

A Moonshot for Healthcare Security

Much of the center's work falls under the Healthcare Ransomware Resiliency and Response Program, funded by the Advanced Research Projects Agency for Health (ARPA-H). "ARPA-H is dedicated to solving intractable problems with really creative moonshot style approaches," Tully says.

The center received the first ARPA-H contract within the UC system, enabling rapid development of innovations like Project CRASHCART, which went from concept to functioning prototype in under two years.

Project CRASHCART is part of a broader national effort to build resilience. The center also continuously monitors the internet via publicly available digital signals for signs of cyberattacks, with the goal of detecting attacks early to minimize their impact.

"Our system picks up a lot of unexpected things," Dameff notes. "You build a telescope to look at the moon. All of a sudden you get the benefit of looking at Mars, asteroids, and stars—something you never thought possible until you built it."

As healthcare grows ever more dependent on digital infrastructure—from electronic health records to wireless prescription systems to drone-vulnerable WiFi networks—the center's mission becomes increasingly critical. "The critical healthcare services that we depend on as human beings in society are predicated on connected technology," Dameff says. "A core mission of the center is to understand the risk so that we can focus our efforts on securing the most vital systems."

The ultimate goal is a future where cyberattacks on hospitals become manageable incidents rather than catastrophes—where rapid response systems, hardened wireless networks, and robust defenses ensure that patient care continues uninterrupted, regardless of what threats emerge from the digital realm. With ransomware attacks having already claimed dozens of lives and disrupted care for millions more, that future cannot come soon enough.

SIDEBAR: Project CRASHCART - A Hospital in 42 Minutes

The Digital Crash Cart: Speed When Seconds Count

In medical emergencies, when a patient's heart stops, doctors rush to the bedside with a crash cart—a mobile unit packed with defibrillators, medications, and life-saving equipment. Now, UC San Diego researchers have created a digital equivalent for when a hospital's entire IT system flatlines during a ransomware attack.

Project CRASHCART can restore critical hospital operations in 42 minutes.

What's in the Box?

The system fits into several large transport cases and includes:

• Laptops running hospital software
• Satellite internet antenna and receiver
• 5G cellular network generator
• 150+ feet of ethernet cabling
• Network hubs and routers
• Medical device connectivity equipment

From Unpacking to Operating Room

Traditional ransomware recovery: Weeks to months of downtime

CRASHCART deployment record: 42 minutes to fully operational

During a recent test at UC San Diego's Simulation Training Center, the team demonstrated the full deployment:

Minutes 0-15: Unspool ethernet cable from building to satellite antenna on lawn

Minutes 15-25: Connect satellite link to basement hub, activate private 5G network

Minutes 25-35: Set up laptops and medical equipment in simulation rooms

Minutes 35-42: Run stress tests—simultaneous video calls, vital sign monitoring, ultrasounds

Minute 42: System operational and resilient under maximum load

What It Can Do

Once deployed, CRASHCART provides:

• Electronic health records - Doctors can access patient histories, allergies, medications
• Laboratory systems - Blood tests, cultures, diagnostic results
• Radiology - X-rays, CT scans, MRIs viewable throughout hospital
• Vital signs monitoring - Real-time blood pressure, oxygen levels, heart rhythms
• Telemedicine - Video consultations with specialists
• E-prescribing - Medication orders sent directly to pharmacy

The Real-World Stakes

Why does speed matter? Consider what happens during a typical ransomware attack:

• Emergency departments go on divert status - ambulances rerouted to other hospitals
• Elective surgeries canceled - potentially life-saving procedures delayed
• ICU monitoring degraded - nurses manually record vital signs on paper
• Lab results delayed - critical diagnoses missed
• Neighboring hospitals overwhelmed - creating regional healthcare crisis

Research shows that during ransomware attacks:

• Cardiac arrest survival rates at nearby hospitals decrease by a factor of 10
• Hospital patient volume drops 25% in the first week
• Mortality rates increase from 3% to 4% for hospitalized Medicare patients
• Some patients experience mortality rate increases of 36-55%

Built for the Most Vulnerable

The team designed CRASHCART specifically for hospitals at greatest risk:

Rural hospitals often lack dedicated IT security staff and operate on thin margins

Critical access hospitals serve remote communities with no backup facilities nearby

Resource-constrained facilities can't afford expensive backup systems or cyber insurance

"You're only as safe as the weakest link in the chain," explains Dr. Jeff Tully. "When we think about resiliency, a lot of our work is to develop really beneficial resources that can be given to these types of hospitals."

Testing to Failure (On Purpose)

During each deployment test, the team deliberately tries to crash the system:

• Opening dozens of simultaneous video conferences
• Streaming multiple ultrasound exams at once
• Transmitting vital signs from multiple "patients"
• Accessing electronic records continuously
• Running all systems at maximum capacity

If the network survives the stress test, it passes. "Failure to crash the network is a sign of success," the team notes.

The Interdisciplinary Advantage

What makes CRASHCART work is the unusual team composition:

Emergency physicians understand crisis care priorities

Anesthesiologists know life-support system requirements

Computer scientists design resilient networks

Network engineers ensure satellite connectivity

Cyber analysts anticipate attack scenarios

Graduate students innovate rapid solutions

"All of these folks come together to accomplish what had previously been thought to be an impossible task," says Dr. Christian Dameff, the project's co-director.

From Moonshot to Reality

• Funding: Advanced Research Projects Agency for Health (ARPA-H)
• Program: Healthcare Ransomware Resiliency and Response (HR3P)
• Development time: Concept to working prototype in under 2 years
• Significance: First ARPA-H contract awarded in UC system

ARPA-H, the federal "moonshot" agency for health innovation, specifically seeks solutions to intractable problems. Before CRASHCART, no rapid-deployment system existed for ransomware-crippled hospitals.

Beyond Ransomware

While designed for cyberattacks, CRASHCART has broader applications:

• Natural disasters damaging hospital infrastructure
• Power grid failures requiring backup connectivity
• Mass casualty events needing surge capacity
• Pandemic response supporting field hospitals
• Infrastructure upgrades maintaining care during system transitions

The Financial Case

For hospitals, the economics are compelling:

Average ransomware impact:

• $2.4 billion (Change Healthcare, 2024)
• $9.23 million average breach cost
• ½ to 1% of annual operating revenue lost
• Weeks to months of reduced capacity

CRASHCART benefit:

• Hours instead of weeks offline
• Maintained revenue stream
• No patient diversions
• Regional system protected
• Potential lives saved: immeasurable

What's Next?

The team continues improving the system:

• Reducing deployment time - Can they beat 42 minutes?
• Expanding capabilities - Adding more hospital functions
• Training response teams - Preparing for nationwide deployment
• Testing in real hospitals - Beyond simulation centers
• Documenting protocols - Enabling other institutions to replicate

The Vision

"We envision a future where cyber attacks on hospitals are of little consequence where we can rapidly respond to them and take care of patients in a safe manner," Dameff explains.

With 444 healthcare cyberattacks in 2024 alone, that future can't come soon enough.

---

By the Numbers:

42 minutes - Record deployment time

150 feet of cable connecting satellite to hospital

5G private cellular network generated on-site

2 years from concept to working prototype

259 million Americans' health records compromised in 2024

42-67 estimated Medicare patient deaths from ransomware, 2016-2021

$3.5 million average ransom demand in 2024

25% drop in hospital capacity during first week of attack

10x decrease in cardiac arrest survival at nearby hospitals during attack

---

"Research sponsored by ARPA-H can fundamentally change the equation when it comes to some of the most vulnerable hospitals because at the end of the day, if we can respond quickly with something like Project CRASHCART, we can restore safe patient care at these hospitals and get them back to doing what they need to do for their communities, which is care for the sickest patients around."

— Dr. Christian Dameff, Co-Director, UC San Diego Center for Healthcare Cybersecurity

 

SIDEBAR: When the Cybersecurity Experts Got Hacked

UC San Diego Health: From Victim to Innovator

The researchers at UC San Diego's Center for Healthcare Cybersecurity aren't just studying ransomware attacks in the abstract. They know firsthand what it's like to be on the receiving end of a cyberattack—because their own institution was breached.

The Attack That Hit Home

December 2, 2020 - April 8, 2021

While UC San Diego Health's cybersecurity researchers were beginning to conceptualize what would become Project CRASHCART, hackers were quietly infiltrating their own organization through a successful phishing attack.

The breach ultimately affected 495,949 patients, employees, and students—nearly half a million people whose sensitive information was exposed over a four-month period.

What the Hackers Got

The compromised data was extensive:

• Full names, addresses, dates of birth
• Social Security numbers
• Medical diagnoses and conditions
• Laboratory results
• Prescription information
• Treatment records
• Payment card numbers
• Medical record numbers
• Government identification numbers
• Student ID numbers
• Email addresses and passwords

In other words: everything needed for identity theft, medical fraud, and financial crimes.

The Timeline: A Slow Discovery

March 12, 2021: Suspicious activity detected

April 8, 2021: Security team identifies it as a breach and terminates access (nearly a month later)

May 25, 2021: Confirms protected health information was compromised

July 27, 2021: Public announcement posted

September 7, 2021: Individual notifications begin—five months after the breach was stopped

The Lawsuit: A Patient Speaks Out

Cancer patient Denise Menezes, being treated at UC San Diego Health's Moores Cancer Center, filed a class-action lawsuit alleging that "the data breach occurred because UC San Diego Health failed to implement reasonable security procedures and practices, failed to provide its employees with basic cybersecurity training designed to prevent phishing attacks, failed to take adequate steps to monitor for and detect unusual activity on its servers, and failed to timely notify the victims of the data breach".

The complaint noted that Menezes "suffered emotional distress knowing that her highly personal medical and treatment information is now available to criminals to commit blackmail, extortion, medical-related identity theft or fraud, and any number of additional harms against her for the rest of her life".

The Irony: Researching What They Experienced

Here's the striking timeline:

• 2020-2021: UC San Diego Health suffers major phishing breach
• 2021: Lawsuit filed alleging inadequate cybersecurity training
• 2021-2023: Researchers conduct randomized controlled trial on phishing training with 20,000 employees
• 2023: Study finds phishing training doesn't work as expected
• 2023: Center for Healthcare Cybersecurity officially established
• 2023-2025: Project CRASHCART developed

The researchers aren't just studying theoretical problems—they're solving challenges their own institution faced.

Learning from Pain

Dr. Christian Dameff's focus on evidence-based cybersecurity likely stems from this experience. When your own health system gets breached despite having cybersecurity experts on staff, you realize that conventional wisdom isn't enough.

The phishing training study's surprising results—that employees who completed training were no better at identifying phishing attempts—becomes even more significant when you know UC San Diego Health lost 500,000 records to a phishing attack.

As Dameff explains: "We're trying to bring more academic rigor to healthcare cybersecurity, constructing trials that are designed to prove evidence of benefit, in the same way that you would evaluate a new drug or a new surgery."

Not Alone in San Diego

UC San Diego Health wasn't the only local victim. In May 2021, Scripps Health, San Diego's second-largest health system, suffered a ransomware attack that potentially compromised the information of more than 147,000 people. Scripps was forced to take down the bulk of its digital systems for most of May, dramatically affecting everything from confirming appointments to diverting ambulances from hospitals that lost access to digital medical records.

Two major San Diego health systems hit within months of each other—demonstrating that even sophisticated, well-resourced institutions are vulnerable.

The Silver Lining: Institutional Knowledge

Having experienced a breach gives UC San Diego Health unique insights:

Detection delays matter: It took nearly a month to identify the breach as a security incident

Investigation takes time: Five months from breach termination to individual notifications

Scope is hard to determine: The number affected wasn't disclosed until September—five months post-discovery

Employee training isn't enough: A phishing attack succeeded despite having cybersecurity experts on campus

Patient impact is severe: Cancer patients worrying about blackmail, identity theft, and extortion

Legal consequences are real: Class-action lawsuits follow breaches

From Breach to CRASHCART

These experiences likely shaped Project CRASHCART's design priorities:

Speed: If UC San Diego Health took weeks to fully respond, other hospitals need faster solutions

Continuity: Unlike their phishing breach (which didn't disrupt care), ransomware shuts down everything—hence the need for rapid restoration

Training gaps: Since training failed them, they need systemic technological solutions

Regional impact: Seeing Scripps and UC San Diego Health both hit reinforced that attacks create regional healthcare crises

The Additional Breaches

The 2021 phishing attack wasn't UC San Diego Health's only incident:

2018: 619 patients affected by external data breach involving Nuance Communications, a third-party medical transcription provider breached between November 20 and December 9, 2017

2024: Undisclosed number of patients had data inadvertently shared with third parties due to vendor Solv Health placing analytics tools on patient-facing websites without authorization

Three separate incidents in six years—demonstrating the persistent nature of healthcare cybersecurity threats.

The Bigger Picture

When Dr. Jeff Tully says, "Ransomware and other attacks on national critical healthcare infrastructure are a serious patient safety problem," he's not speaking hypothetically. His own institution's 500,000 affected patients are proof.

When Dr. Dameff emphasizes that "you're only as safe as the weakest link in the chain," he knows that even cybersecurity research centers can have weak links—one employee clicking one phishing email.

The Motivation

Perhaps nothing motivates innovation like personal experience with the problem you're trying to solve.

UC San Diego Health's researchers aren't just protecting other hospitals—they're building the defenses they wish they'd had when their own systems were compromised.

They're asking: How do we ensure no other hospital has to send letters to half a million people saying their most sensitive medical information has been stolen?

Project CRASHCART is part of the answer.

---

The UC San Diego Health 2021 Data Breach: By the Numbers

495,949 - Individuals affected

128 days - Duration hackers had access (Dec 2 - April 8)

27 days - Time from suspicious activity detection to breach identification (March 12 - April 8)

152 days - Time from breach termination to individual notifications (April 8 - September 7)

1 year - Free credit monitoring offered to victims

Multiple - Lawsuits filed seeking class-action status

---

"UC San Diego Health worked deliberately, while taking care to provide accurate information, as quickly as it could. In addition to these actions, UC San Diego Health began taking remediation measures to enhance their security controls which have included, among other steps, changing employee credentials, disabling access points, and enhancing security processes and procedures."

— UC San Diego Health official response, September 2021

---

The Lesson

Sometimes the best cybersecurity innovations come from those who've learned the hard way. UC San Diego Health's Center for Healthcare Cybersecurity isn't just studying the problem—they've lived it.

Their half-million affected patients serve as a painful reminder of why Project CRASHCART and other innovations aren't just academic exercises. They're urgent necessities for a healthcare system under constant siege.

And perhaps that's what makes their work so credible: they're not outside consultants offering theories. They're survivors building better lifeboats—because they know what it's like when the ship starts sinking.

---

Sources

Primary Source:

UC San Diego Health Sciences. (2025, October 21). UC San Diego's Center for Healthcare Cybersecurity Protects Patients and Keeps Hospitals Running. UC San Diego Today. https://today.ucsd.edu/story/uc-san-diegos-center-for-healthcare-cybersecurity-protects-patients-and-keeps-hospitals-running

Healthcare Cybersecurity Statistics and Trends:

American Hospital Association. (2025, May 12). Report: Health care had most reported cyberthreats in 2024. AHA News. https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024

Lee, L., Kahn, C., Dameff, C. (2025). Ransomware Attacks and Data Breaches in US Health Care Systems. JAMA Network. https://pmc.ncbi.nlm.nih.gov/articles/PMC12079295/

The HIPAA Journal. (2025, January 14). 2024 Was Another Bad Year for Healthcare Ransomware Attacks. https://www.hipaajournal.com/2024-was-another-bad-year-for-healthcare-ransomware-attacks/

The HIPAA Journal. (2025, January 30). 2024 Healthcare Data Breach Report. https://www.hipaajournal.com/2024-healthcare-data-breach-report/

Forescout Technologies. (2025, May 22). Healthcare sector bears brunt of 2024 data breaches driven by evolving ransomware tactics. Industrial Cyber. https://industrialcyber.co/threats-attacks/healthcare-sector-bears-brunt-of-2024-data-breaches-driven-by-evolving-ransomware-tactics/

Dialog Health. (2025, August 26). 120+ Latest Healthcare Cybersecurity Statistics for 2025. https://www.dialoghealth.com/post/healthcare-cybersecurity-statistics

BlackFog. (2025, July 24). Healthcare Under Siege: Ransomware Attacks Soared in 2024. https://www.blackfog.com/healthcare-ransomware-2024/

Change Healthcare Attack:

American Hospital Association. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness. https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and

Olsen, E. (2024, December 19). 7 of the biggest healthcare cyberattack and breach stories of 2024. Healthcare Dive. https://www.healthcaredive.com/news/7-of-the-biggest-healthcare-cyberattack-and-breach-stories-of-2024/736063/

Patient Deaths and Mortality Studies:

McGlave, C., Neprash, H., Nikpay, S. (2023, November 17). Ransomware attacks on hospitals: Study outlines patient impact. STAT News. https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/

IBM Security. (2025, March 31). When ransomware kills: Attacks on healthcare facilities. https://www.ibm.com/think/insights/when-ransomware-kills-attacks-on-healthcare-facilities

Neprash, H.T., McGlave, C.C., et al. (2023). Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. JAMA Health Forum. https://pmc.ncbi.nlm.nih.gov/articles/PMC9856685/

Boyle, K. (2024, June 11). Does Ransomware Kill Sick People? SecureWorld. https://www.secureworld.io/industry-news/does-ransomware-kill-sick-people

Royal United Services Institute. (2024). Ransomware: A Life and Death Form of Cybercrime. https://www.rusi.org/explore-our-research/publications/commentary/ransomware-life-and-death-form-cybercrime

Springhill Medical Center Case:

Gatlan, S. Lawsuit: Hospital's Ransomware Attack Led to Baby's Death. GovInfoSecurity. https://www.govinfosecurity.com/lawsuit-hospitals-ransomware-attack-led-to-babys-death-a-17663

Wood, S. Hospital ransomware attack led to infant's death, lawsuit alleges. Healthcare IT News. https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges

Lecher, C. (2021, September 30). Baby died because of ransomware attack on hospital, suit says. NBC News. https://www.nbcnews.com/news/baby-died-due-ransomware-attack-hospital-suit-claims-rcna2465

Haas, C. Lawsuit Links Baby Death to AL Healthcare Ransomware Attack. HealthITSecurity. https://healthitsecurity.com/news/lawsuit-links-baby-death-to-al-healthcare-ransomware-attack

The HIPAA Journal. (2023, April 26). Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death. https://www.hipaajournal.com/lawsuit-alleges-ransomware-attack-resulted-in-hospital-baby-death/

Düsseldorf Hospital Incident:

O'Neill, P.H. (2020, September 18). A patient has died after ransomware hackers hit a German hospital. MIT Technology Review. https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/

Schneier, B. (2020, November 24). On That Dusseldorf Hospital Ransomware Attack and the Resultant Death. Schneier on Security. https://www.schneier.com/blog/archives/2020/11/on-that-dusseldorf-hospital-ransomware-attack-and-the-resultant-death.html

O'Neill, P.H. (2020, November 12). Ransomware did not kill a German hospital patient. MIT Technology Review. https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/

HIPAA Enforcement and Regulatory:

The HIPAA Journal. (2025, August 17). What are the Penalties for HIPAA Violations? 2024 Update. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

U.S. Department of Health and Human Services. (2025). Resolution Agreements. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

The HIPAA Journal. (2025). HIPAA Violation Fines - Updated for 2025. https://www.hipaajournal.com/hipaa-violation-fines/

The HIPAA Journal. (2025). Healthcare Data Breach Statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/

U.S. Department of Health and Human Services. (2024, November 21). Enforcement Highlights - Current. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

American Medical Association. (2019, December 6). HIPAA violations & enforcement. https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement

Trang, B. (2024, October 23). Frustrated with Change Healthcare breach, senators propose removing limits on HIPAA fines. STAT News. https://www.statnews.com/2024/10/23/change-healthcare-hipaa-violation-fines-new-bill-eliminates-caps/

ThinkSecureNet. (2024, December 15). Top 11 Largest HIPAA Violation Lawsuits and Settlements (2024 Update). https://www.thinksecurenet.com/blog/top-10-settlements-fines-hipaa/

Electronic Health Records Vulnerabilities:

Whittington, M.D., et al. Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC9123525/

The HIPAA E-Tool. (2023, April 18). EHR Cybersecurity Risks. https://thehipaaetool.com/ehr-cybersecurity-risks/

National Research Council. Privacy and Security Concerns Regarding Electronic Health Information. For the Record: Protecting Electronic Health Information. https://www.ncbi.nlm.nih.gov/books/NBK233428/

Jalali, M.S., et al. Health Records Database and Inherent Security Concerns: A Review of the Literature. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC9647912/

Alsaadi, M., et al. (2024, July 2). The Risk Assessment of the Security of Electronic Health Records Using Risk Matrix. Applied Sciences. https://www.mdpi.com/2076-3417/14/13/5785

V2 Cloud. (2025, August 15). EHR Security & Privacy: Common Challenges & Solutions. https://v2cloud.com/blog/electronic-health-records-security

Wood, S. HHS cyber arm warns of EHR vulnerabilities. Healthcare IT News. https://www.healthcareitnews.com/news/hhs-cyber-arm-warns-ehr-vulnerabilities

Juno Health. (2024, July 16). EHR Cybersecurity Threats: How to Address Them & Assess Fixing. https://www.junohealth.com/blog/how-to-address-top-ehr-cybersecurity-threats

American Retrieval. (2025, January 30). Electronic Health Record Security Breach: Top 3 Vital Fixes. https://americanretrieval.com/blog/electronic-health-record-security-breach/

Zenarmor. What is EHR Security? Risks, Benefits and Measures. https://www.zenarmor.com/docs/network-security-tutorials/what-is-ehr-security

Electronic Prescribing Vulnerabilities:

Alanazi, H.O., Zaidan, A.A., et al. (2021). Digital Health in Physicians' and Pharmacists' Office: A Comparative Study of e-Prescription Systems' Architecture and Digital Security in Eight Countries. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC7888294/

Epstein Becker & Green. (2022, September 8). Online Pharmacy Prescriptions and Cybersecurity Best Practices. https://www.ebglaw.com/insights/lorman-online-pharmacy-prescriptions-and-cybersecurity-best-practices/

Sittig, D.F., et al. (2020, July 3). Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Medical Informatics and Decision Making. https://bmcmedinformdecismak.biomedcentral.com/articles/10.1186/s12911-020-01161-7

Schiff, G.D., et al. A Prescription For Enhancing Electronic Prescribing Safety. Health Affairs. https://www.healthaffairs.org/doi/10.1377/hlthaff.2018.0725

National Association of Boards of Pharmacy. (2025, February 19). e-Prescribing. https://nabp.pharmacy/news/blog/revolutionizing-health-care-the-evolving-path-of-e-prescriptions/

Epstein Becker & Green. (2021, July 12). Online Pharmacy Prescriptions and Cyber Security Best Practices. https://www.ebglaw.com/insights/online-pharmacy-prescriptions-and-cyber-security-best-practices/

Academy of Managed Care Pharmacy. Electronic Prescribing. https://www.amcp.org/concepts-managed-care-pharmacy/electronic-prescribing

Healthcare Safety Investigation Branch. (2023, September 21). Investigation report: Electronic prescribing and medicines administration systems and safe discharge. https://www.hssib.org.uk/patient-safety-investigations/electronic-prescribing-and-medicines-administration-systems-and-safe-discharge/investigation-report/

Westbrook, J.I., et al. The safety of electronic prescribing: manifestations, mechanisms, and rates of system-related errors associated with two commercial systems in hospitals. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC3822121/

Nematollahi, M., Moosavi, A., Lazem, M., Aslani, N., Kafashi, M., Garavand, A. (2015, March 14). A review of the literature and proposed classification on e-prescribing: Functions, assimilation stages, benefits, concerns, and risks. ScienceDirect. https://www.sciencedirect.com/science/article/pii/S1551741115000431

Drone and WiFi Network Security:

Alsamhi, S.H., et al. (2020). Security analysis of drones systems: Attacks, limitations, and recommendations. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC7206421/

Choi, S., et al. (2008, August 1). Wireless Network Security: Vulnerabilities, Threats and Countermeasures. ResearchGate. https://www.researchgate.net/publication/228864040_Wireless_Network_Security_Vulnerabilities_Threats_and_Countermeasures

Muncaster, P. (2022, October 13). Wi-Fi

Muncaster, P. (2022, October 13). Wi-Fi spy drones used to snoop on financial firm. The Register. https://www.theregister.com/2022/10/12/drone-roof-attack/

Ram, S. (2022, October 16). Drones for Wi-Fi Hacking? A new attack vector? What next? LinkedIn. https://www.linkedin.com/pulse/drones-wi-fi-hacking-new-attack-vector-what-next-sai-ram

Guvenc, I., et al. (2016, November 1). Securing Commercial WiFi-Based UAVs From Common Security Attacks. ResearchGate. https://www.researchgate.net/publication/305096894_Securing_Commercial_WiFi-Based_UAVs_From_Common_Security_Attacks

Secure Debug. (2025, February 18). Mastering Wi-Fi Hacking Techniques and Defenses: An Ultra-Extensive Guide to Wireless Network Security. https://securedebug.com/mastering-wi-fi-hacking-techniques-and-defenses-an-ultra-extensive-guide-to-wireless-network-security/

Kreps, S.E., Miles, M. (2020). Hospital cybersecurity risks and gaps: Review (for the non-cyber professional). PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC9403058/

Ahmad, A., et al. IoT empowered smart cybersecurity framework for intrusion detection in internet of drones. PMC. https://pmc.ncbi.nlm.nih.gov/articles/PMC10611784/

Sjöberg, L., Öhlin, K. (2021). Wireless Network Security for Consumer Drones: Vulnerability Assessment of the Ryze Tello. KTH Royal Institute of Technology. https://www.diva-portal.org/smash/get/diva2:1586253/FULLTEXT01.pdf

Additional Resources:

Applied Policy. (2024, December 5). Ransomware in Healthcare. https://www.appliedpolicy.com/ransomware-in-healthcare/

IBM Security Intelligence. (2025, February 21). Ransomware on the rise: Healthcare industry attack trends 2024. https://securityintelligence.com/articles/healthcare-industry-attack-trends-2024/

The HIPAA Journal. (2024, September 5). At Least 141 Hospitals Directly Affected by Ransomware Attacks in 2023. https://www.hipaajournal.com/2023-healthcare-ransomware-attacks/

Cybernews. (2024, July 5). Ransomware attacks really increase mortality rates at hospitals. https://cybernews.com/news/ransomware-attacks-mortality-rates-hospitals/

ThreatDown. (2024, July 5). Ransomware increases hospital deaths significantly. https://www.threatdown.com/blog/ransomware-increases-hospital-deaths-significantly/

Research Team and Funding:

UC San Diego Center for Healthcare Cybersecurity

Leadership:

• Jeff Tully, M.D. - Assistant Professor of Anesthesiology, Co-Director
• Christian Dameff, M.D. - Associate Professor, Departments of Emergency Medicine and Computer Science, Division of Biomedical Informatics, Co-Director

Key Research Personnel:

• Aaron Schulman, Ph.D. - Associate Professor, Department of Computer Science and Engineering
• Stefan Savage, Ph.D. - Professor, Department of Computer Science and Engineering
• Geoffrey Voelker, Ph.D. - Professor, Department of Computer Science and Engineering
• Mike Hogarth, M.D. - Division of Biomedical Informatics
• Rodney Gabriel, M.D. - Department of Anesthesiology
• Preetham Suresh, M.D. - Department of Anesthesiology
• Claire Soria, M.D. - Department of Anesthesiology
• Christopher Longhurst, M.D. - UC San Diego School of Medicine
• Christopher Kahn, M.D. - Department of Emergency Medicine
• Christian Tomaszewski, M.D. - Department of Emergency Medicine
• Jay Doucet, M.D. - Department of Surgery

Project CRASHCART Team:

• Jonathon Guthrie - Cyber Resiliency Analyst
• Almog Bar-Yossef - Graduate Student, Department of Computer Science and Engineering
• Alex Gao - Research Team Member
• Kartikeyan Subramanyam - Network Systems Engineer

Funding: Advanced Research Projects Agency for Health (ARPA-H) Healthcare Ransomware Resiliency and Response Program (HR3P) U.S. Department of Health and Human Services

Institutional Support: University of California San Diego UC San Diego Health UC San Diego School of Medicine Department of Computer Science and Engineering Division of Biomedical Informatics

---

Editor's Note

This comprehensive investigation into healthcare cybersecurity draws on over 80 sources including peer-reviewed research, federal agency reports, legal filings, and investigative journalism. The escalating threat of ransomware attacks on healthcare facilities represents one of the most pressing challenges at the intersection of technology, medicine, and national security. As hospitals become increasingly dependent on digital infrastructure—from electronic health records to wireless medical devices—the vulnerabilities identified in this investigation demand urgent attention from policymakers, healthcare administrators, and cybersecurity professionals.

The UC San Diego Center for Healthcare Cybersecurity's innovative approaches, including Project CRASHCART and evidence-based research challenging conventional security practices, offer hope that rapid recovery and improved preparedness are achievable goals. However, the documented deaths, billions in financial losses, and millions of compromised patient records underscore that this is not merely a technical problem but a genuine public health crisis requiring comprehensive, coordinated action.

For ongoing coverage of healthcare cybersecurity developments, readers are encouraged to monitor updates from the Department of Health and Human Services Office for Civil Rights, the Cybersecurity and Infrastructure Security Agency (CISA), and academic research institutions advancing the field of medical cybersecurity.