Healthcare led every other critical infrastructure sector in FBI IC3 cybercrime complaints in 2024, with 444 reported incidents, 238 of them ransomware and 206 data breaches, according to the FBI's 2024 Internet Crime Report. That top ranking is not a coincidence; it is the predictable result of a sector that combines irreplaceable data (protected health information is worth multiples of a stolen credit card number on criminal markets), life-critical operational systems, and an organizational structure that spans everything from billion-dollar hospital networks to solo-practice physician offices running outdated software. When a hospital's electronic health record system goes offline, the pressure to restore operations is immediate and intense. Ransomware operators know this. They have priced the ransom accordingly.
TL;DR
- Healthcare led all critical infrastructure sectors with 444 IC3 complaints in 2024 (238 ransomware, 206 data breaches).
- The February 2024 Change Healthcare attack, carried out by ALPHV/BlackCat via a Citrix portal with no MFA, affected an estimated 190 million Americans and cost UnitedHealth over $1.5 billion.
- Healthcare has been the most expensive sector for data breaches for 14 consecutive years; the average breach cost was $9.77M in 2024.
- Breaches in healthcare take an average of 279 days to detect and contain.
- Organizations that involve law enforcement after a ransomware attack save nearly $1 million in breach costs compared to those that do not, per IBM research.
The February 2024 Change Healthcare attack is the defining case study of everything wrong with healthcare cybersecurity, compressed into a single incident. The ALPHV/BlackCat ransomware group gained initial access on February 12, 2024 by exploiting a Citrix remote-access portal that lacked multi-factor authentication. Nine days later, the attack encrypted critical systems at Change Healthcare, a UnitedHealth Group subsidiary that processes billing and claims for more than 900,000 physicians and 33,000 pharmacies across the U.S. Within weeks, 80% of physician practices reported losing revenue from unpaid claims and 60% faced challenges verifying patient eligibility, according to an American Medical Association survey. UnitedHealth confirmed it paid a ransom of approximately $22 million. The personal, health, and financial information of an estimated 190 million Americans was compromised, making it the largest healthcare data breach in U.S. history. Total financial exposure for UnitedHealth exceeded $1.5 billion. The attack vector was not sophisticated. A single unprotected remote-access portal was the door through which a nation-scale health system was brought to its knees.
IBM's 2024 Cost of a Data Breach Report found the average healthcare breach cost $9.77 million, and healthcare has held the top spot as the most expensive industry for breaches for 14 consecutive years. Breaches take an average of 279 days to detect and contain, a timeline that reflects the complexity of healthcare IT environments and the persistent difficulty of distinguishing malicious activity from the constant churn of legitimate clinical data access. The organizations doing the most to reduce their exposure share a short but non-negotiable list of practices: phishing-resistant MFA on every remote access point, network segmentation that isolates clinical systems from administrative networks, regular tested backups of EHR data stored offline, and a documented incident response plan that explicitly names who calls law enforcement and when. IBM's research found that organizations that engaged law enforcement during a ransomware event saved nearly $1 million in breach costs compared to those that handled it internally. In a sector where the average breach already tops $9 million, that is not a rounding error.
Expert Tip: MFA on Every Remote Access Point Is Non-Negotiable
The Change Healthcare attack succeeded because a Citrix remote-access portal lacked multi-factor authentication. This is not an exotic vulnerability; it is a missing configuration on a widely used remote access tool. CISA and HHS jointly published guidance specifically recommending phishing-resistant MFA (FIDO2/hardware tokens) for all remote access into clinical and administrative systems. For healthcare organizations still relying on SMS-based MFA or no MFA at all on remote access portals, implementing hardware-based MFA is the single highest-return security investment available. CISA's healthcare-specific guidance is available at cisa.gov/healthcare.
Key Takeaways
- Healthcare is the top IC3 target: 444 critical infrastructure complaints in 2024, more than any other sector, including 238 ransomware incidents.
- The Change Healthcare breach set a new scale: 190 million Americans affected, $22M ransom paid, $1.5B+ in total costs, all enabled by a single portal without MFA.
- 14 consecutive years as the costliest sector: Average breach cost was $9.77M in 2024; breaches take 279 days to detect and contain on average.
- Law enforcement engagement reduces costs: Organizations that involved law enforcement saved nearly $1M per incident compared to those that did not.
- The most important control is also the simplest: Phishing-resistant MFA on all remote access portals would have prevented the most expensive healthcare breach in U.S. history.
Sources: FBI IC3 2024 Annual Report, IBM: Cost of a Data Breach Healthcare Industry, IBM: Change Healthcare $22M Ransomware Payment, American Hospital Association: Change Healthcare Cyberattack, Healthcare Dive: Average Cost of Healthcare Data Breach 2024
