. 2023 May 1;6(5):e2312270.

doi: 10.1001/jamanetworkopen.2023.12270.

Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US

Christian Dameff^{1

2

3}, Jeffrey Tully⁴, Theodore C Chan¹, Edward M Castillo¹, Stefan Savage³, Patricia Maysent⁵, Thomas M Hemmen⁶, Brian J Clay^{2

5}, Christopher A Longhurst^{2

5}

Affiliations

¹ Department of Emergency Medicine, University of California, San Diego.
² Department of Biomedical Informatics, University of California, San Diego.
³ Department of Computer Science and Engineering, University of California, San Diego.
⁴ Department of Anesthesiology, University of California, San Diego.
⁵ Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego.
⁶ Department of Neurosciences, University of California, San Diego.

PMID: 37155166
PMCID: PMC10167570
DOI: 10.1001/jamanetworkopen.2023.12270

Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US

Christian Dameff et al. JAMA Netw Open. 2023.

. 2023 May 1;6(5):e2312270.

doi: 10.1001/jamanetworkopen.2023.12270.

Authors

Christian Dameff^{1

2

3}, Jeffrey Tully⁴, Theodore C Chan¹, Edward M Castillo¹, Stefan Savage³, Patricia Maysent⁵, Thomas M Hemmen⁶, Brian J Clay^{2

5}, Christopher A Longhurst^{2

5}

Affiliations

¹ Department of Emergency Medicine, University of California, San Diego.
² Department of Biomedical Informatics, University of California, San Diego.
³ Department of Computer Science and Engineering, University of California, San Diego.
⁴ Department of Anesthesiology, University of California, San Diego.
⁵ Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego.
⁶ Department of Neurosciences, University of California, San Diego.

PMID: 37155166
PMCID: PMC10167570
DOI: 10.1001/jamanetworkopen.2023.12270

Abstract

Importance: Cyberattacks on health care delivery organizations are increasing in frequency and sophistication. Ransomware infections have been associated with significant operational disruption, but data describing regional associations of these cyberattacks with neighboring hospitals have not been previously reported, to our knowledge.

Objective: To examine an institution's emergency department (ED) patient volume and stroke care metrics during a month-long ransomware attack on a geographically proximal but separate health care delivery organization.

Design, setting, and participants: This before and after cohort study compares adult and pediatric patient volume and stroke care metrics of 2 US urban academic EDs in the 4 weeks prior to the ransomware attack on May 1, 2021 (April 3-30, 2021), as well as during the attack and recovery (May 1-28, 2021) and 4 weeks after the attack and recovery (May 29 to June 25, 2021). The 2 EDs had a combined mean annual census of more than 70 000 care encounters and 11% of San Diego County's total acute inpatient discharges. The health care delivery organization targeted by the ransomware constitutes approximately 25% of the regional inpatient discharges.

Exposure: A month-long ransomware cyberattack on 4 adjacent hospitals.

Main outcomes and measures: Emergency department encounter volumes (census), temporal throughput, regional diversion of emergency medical services (EMS), and stroke care metrics.

Results: This study evaluated 19 857 ED visits at the unaffected ED: 6114 (mean [SD] age, 49.6 [19.3] years; 2931 [47.9%] female patients; 1663 [27.2%] Hispanic, 677 [11.1%] non-Hispanic Black, and 2678 [43.8%] non-Hispanic White patients) in the preattack phase, 7039 (mean [SD] age, 49.8 [19.5] years; 3377 [48.0%] female patients; 1840 [26.1%] Hispanic, 778 [11.1%] non-Hispanic Black, and 3168 [45.0%] non-Hispanic White patients) in the attack and recovery phase, and 6704 (mean [SD] age, 48.8 [19.6] years; 3326 [49.5%] female patients; 1753 [26.1%] Hispanic, 725 [10.8%] non-Hispanic Black, and 3012 [44.9%] non-Hispanic White patients) in the postattack phase. Compared with the preattack phase, during the attack phase, there were significant associated increases in the daily mean (SD) ED census (218.4 [18.9] vs 251.4 [35.2]; P < .001), EMS arrivals (1741 [28.8] vs 2354 [33.7]; P < .001), admissions (1614 [26.4] vs 1722 [24.5]; P = .01), patients leaving without being seen (158 [2.6] vs 360 [5.1]; P < .001), and patients leaving against medical advice (107 [1.8] vs 161 [2.3]; P = .03). There were also significant associated increases during the attack phase compared with the preattack phase in median waiting room times (21 minutes [IQR, 7-62 minutes] vs 31 minutes [IQR, 9-89 minutes]; P < .001) and total ED length of stay for admitted patients (614 minutes [IQR, 424-1093 minutes] vs 822 minutes [IQR, 497-1524 minutes]; P < .001). There was also a significant increase in stroke code activations during the attack phase compared with the preattack phase (59 vs 102; P = .01) as well as confirmed strokes (22 vs 47; P = .02).

Conclusions and relevance: This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.

PubMed Disclaimer

Conflict of interest statement

Conflict of Interest Disclosures: None reported.

Figures

**Figure 1.. Emergency Department (ED) Census, Admissions, and Incomplete Care Per Day**
Incomplete care includes patients who left without being seen, patients who left against medical advice, and patients who “eloped” (could not be located after being placed in a treatment area after nurse triage and clinician evaluation).

**Figure 2.. Cumulative San Diego County Emergency Medical Services Diversion Hours Per Day**

See this image and copyright information in PMC

Cited by

Ransomware Cyberattack Associated With Cardiac Arrest Incidence and Outcomes at Untargeted, Adjacent Hospitals.
Pham TT, Loo TM, Malhotra A, Longhurst CA, Hylton D, Dameff C, Tully J, Wardi G, Sell RE, Pearce AK. Pham TT, et al. Crit Care Explor. 2024 Apr 10;6(4):e1079. doi: 10.1097/CCE.0000000000001079. eCollection 2024 Apr. Crit Care Explor. 2024. PMID: 38605720 Free PMC article.
Media Framing and Portrayals of Ransomware Impacts on Informatics, Employees, and Patients: Systematic Media Literature Review.
Avery A, Baker EW, Wright B, Avery I, Gomez D. Avery A, et al. J Med Internet Res. 2025 Apr 8;27:e59231. doi: 10.2196/59231. J Med Internet Res. 2025. PMID: 40198915 Free PMC article.
Prompt injection attacks on vision-language models for surgical decision support.
Zhang Z, Qadir MI, Carstens M, Zhang EH, Loiselle MS, Martinus FM, Mroczkowski MK, Clusmann J, Kather JN, Kolbinger FR. Zhang Z, et al. medRxiv [Preprint]. 2025 Jul 23:2025.07.16.25331645. doi: 10.1101/2025.07.16.25331645. medRxiv. 2025. PMID: 40778151 Free PMC article. Preprint.
Characteristics of short-term acute care hospitals that experienced a ransomware attack from 2016 to 2021.
McGlave CC, Nikpay SS, Henning-Smith C, Rydberg K, Neprash HT. McGlave CC, et al. Health Aff Sch. 2023 Aug 28;1(3):qxad037. doi: 10.1093/haschl/qxad037. eCollection 2023 Sep. Health Aff Sch. 2023. PMID: 38756673 Free PMC article.
Patient Care Technology Disruptions Associated With the CrowdStrike Outage.
Tully JL, Rao S, Straw I, Gabriel RA, Longhurst CA, Savage S, Voelker GM, Dameff CJ. Tully JL, et al. JAMA Netw Open. 2025 Jul 1;8(7):e2530226. doi: 10.1001/jamanetworkopen.2025.30226. JAMA Netw Open. 2025. PMID: 40682764 Free PMC article.

References

1. Jarrett MP. Cybersecurity—a serious patient care concern. JAMA. 2017;318(14):1319-1320. doi:10.1001/jama.2017.11986 - DOI - PubMed
1. Kramer DB, Fu K. Cybersecurity concerns and medical devices: lessons from a pacemaker advisory. JAMA. 2017;318(21):2077-2078. doi:10.1001/jama.2017.15692 - DOI - PubMed
1. Perakslis ED. Cybersecurity in health care. N Engl J Med. 2014;371(5):395-397. doi:10.1056/NEJMp1404358 - DOI - PubMed
1. Williams CM, Chaturvedi R, Chakravarthy K. Cybersecurity risks in a pandemic. J Med Internet Res. 2020;22(9):e23692. doi:10.2196/23692 - DOI - PMC - PubMed
1. Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. 2017;358:j3179. doi:10.1136/bmj.j3179 - DOI - PubMed

Publication types

Actions

MeSH terms

Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions

Grants and funding

K08 EB032477/EB/NIBIB NIH HHS/United States

LinkOut - more resources

Full Text Sources
Medical
- MedlinePlus Health Information
Miscellaneous
- NCI CPTAC Assay Portal

Save citation to file

Email citation

Add to Collections

Add to My Bibliography

Your saved search

Create a file for external citation management software

Your RSS Feed

Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US

Affiliations

Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US

Authors

Affiliations

Abstract

Conflict of interest statement

Figures

Similar articles

Cited by

References

Publication types

MeSH terms

Grants and funding

LinkOut - more resources

Full Text Sources

Medical

Miscellaneous

Abstract

Conflict of interest statement

Figures

Similar articles

Cited by

References

Publication types

MeSH terms

Related information

Grants and funding

LinkOut - more resources

Full Text Sources

Medical

Miscellaneous