Death by Ransomware
6:32 AM
At 6:32 in the morning on January 13, 2026, someone at AZ Monica hospital in Belgium noticed something wrong on the network. IT staff acted fast. Within minutes, they pulled the plug on all servers across both campuses, Antwerp and Deurne. It was the right call.
Seventy scheduled surgeries were cancelled. The emergency department scaled back. Mobile Urgency Groups went dark. Staff lost access to patient records and fell back on paper. Seven critical patients were transferred out, ambulances rerouted elsewhere.
A modern hospital, mid-morning, running on nothing.
Local media reported unverified claims of a ransom demand. Officials haven’t confirmed much beyond the basics. What they did confirm is this: a twenty-first century institution was forced to function as though it were still the nineties, with the critical complication that every workflow and trained reflex assumes infrastructure that was suddenly gone.
The Body Count
We rarely frame ransomware in terms of mortality. We should start.
In September 2020, a woman in Germany suffered an aortic aneurysm. The nearest hospital, the University Clinic in Düsseldorf, had been hit by ransomware hours earlier and closed its emergency department. She was diverted 32 kilometers away. She didn’t make it. German prosecutors opened a negligent homicide investigation against the unknown attackers.
Her death is often cited as the first directly attributable to a cyberattack on healthcare. It won’t be the last.
The Ponemon Institute found that more than 20% of healthcare organizations experiencing a cyberattack report increased patient mortality in the aftermath. A study of Medicare data estimated ransomware attacks contributed to between 42 and 67 deaths from 2016 to 2021. That figure is almost certainly an undercount. One Vanderbilt University researcher put annual deaths from healthcare data breaches as high as 2,100 in the United States, driven largely by delays in cardiac care among patients who couldn’t get timely electrocardiograms.
The mechanics aren’t mysterious. Systems go offline, tests can’t be ordered, results can’t be retrieved, nearby hospitals absorb the overflow. Staff work from memory and incomplete paper records. The degradation cascades across an entire region before anyone fully understands what’s happening.
AZ Monica is one incident among dozens. Ransomware against healthcare institutions surged 36% in 2025 compared to the year before. The sector now accounts for over a third of all reported incidents. Some projections put 60% of health systems at risk of disrupted care delivery by the end of this year.
These aren’t anomalies anymore. Every diverted ambulance, every inaccessible record, is a roll of the dice with someone’s life.
The Perfect Victim
Think about this from an attacker’s perspective for a moment.
Medical records are among the most sensitive data that exists. They generate leverage, not just market value. A retail breach might sit undiscovered for months. A hospital knows within minutes when it has lost access to patient records, and the consequences are immediate and potentially fatal. Pressure to pay builds fast.
The average ransom payment in healthcare has reached $4.4 million. Even as payment rates drop across other sectors, hospitals remain profitable at scale precisely because the operational cost of refusal is so high.
But the incentive structure is almost secondary to the underlying vulnerability. Healthcare infrastructure is genuinely fragile in ways that reflect decades of neglect.
The average hospital spends less than six percent of its IT budget on cybersecurity. Many operate on margins so thin that security competes directly with patient care for every dollar. Public hospitals serving low-income communities face this tradeoff in its most brutal form.
What follows is predictable. Legacy systems run because replacement is unaffordable. Patches get deferred because maintenance requires downtime that no one can approve. Staff don’t receive basic security training because the training budget was cut two cycles ago. The Change Healthcare breach in 2024, which exposed data on 190 million Americans, began with stolen credentials on a Citrix portal that lacked multi-factor authentication. The technical failure was almost embarrassingly simple. These failures usually are.
Medical devices compound the problem. Infusion pumps, imaging equipment, patient monitors are all increasingly networked, and many run operating systems so old they can’t be patched without voiding regulatory approval or manufacturer warranties. They sit on hospital networks, creating attack surfaces that security teams can identify but can’t close.
A Pattern That Doesn’t Break
In May 2017, WannaCry hit the UK National Health Service. More than a third of NHS trusts were affected. An estimated 19,000 appointments and operations were cancelled. Staff reverted to pen and paper. The financial damage exceeded £92 million.
The NHS wasn’t even the intended target. WannaCry spread indiscriminately, exploiting a Windows vulnerability that Microsoft had patched two months earlier. Many NHS systems hadn’t applied it. Before the attack, none of the 88 NHS trusts that had undergone cybersecurity assessments had passed.
Reports were written. Recommendations issued. Investment increased. A Cyber Handbook was developed.
And here we are in 2026, watching hospitals go dark.
One more detail from Düsseldorf worth sitting with: the attackers hadn’t meant to hit a hospital. Their ransom note was addressed to the affiliated university. When German police contacted them and explained that patient lives were at risk, they handed over the decryption keys. No further demands. This is sometimes cited as evidence that ransomware operators have some floor of restraint. The woman was already dead. The limits arrived too late.
The Economics of Neglect
The money that flows into security follows the money that flows into healthcare, and it does not flow equally.
Well-funded private systems can afford enterprise detection tools, dedicated security staff, and rapid incident response. Rural hospitals running at thin margins sometimes can’t afford a full-time IT person, let alone anyone with security specialization. Public institutions serving low-income communities face this in its starkest form.
Attackers operate under entirely different constraints. Ransomware-as-a-Service platforms have effectively removed the technical barriers to entry. A subscription grants access to malware, infrastructure, negotiation support, and something that functions disturbingly like customer service. Groups like Qilin have already surpassed the activity levels of former leaders like LockBit. Analysts expect 2026 to be the first year when new ransomware groups outside Russia outnumber those within it.
The asymmetry compounds over time. Successful attacks fund better attacks. Healthcare institutions struggle to compete for security talent against every other industry, constrained by the same budget pressures that limit everything else they do. The global shortage of skilled practitioners hits hardest where resources are already insufficient.
This is a market failure. The phrase doesn’t quite capture what it means when the failure is measured in lives.
Why This Keeps Happening
Hospital cybersecurity is underfunded because hospitals are underfunded. That’s essentially the whole story, structurally speaking.
When every budget line is contested, a security upgrade competes against hiring nurses or buying medications. The benefit of better infrastructure is probabilistic and invisible when nothing goes wrong. The benefit of an additional nurse is visible every shift.
Societies decide how to fund healthcare. They decide which regulatory standards to mandate and whether to provide any resources for compliance. They decide whether to hold technology vendors accountable for what they sell into clinical environments.
I don’t suggest hospitals are without fault. Many make poor decisions even within existing constraints. Leadership frequently ignores cybersecurity until an incident forces the conversation. These failures are real.
They also occur within systems designed to produce them. Individual hospitals can’t solve problems that require collective action: adequate public funding, regulatory mandates with real resources attached, vendor liability. Attributing systemic failures to individual institutions is convenient for those who prefer not to examine the system.
What Would Actually Help
The standard recommendations are sound enough as far as they go. Patch promptly. Segment networks. Maintain offline backups. Train staff. These are necessary conditions for security.
They are insufficient when the core problem is chronic underresourcing. A hospital that can’t afford maintenance downtime can’t patch promptly. One that can’t hire security staff can’t segment networks properly. Telling structurally underfunded institutions to simply do better is an abdication dressed up as advice.
The harder conversation involves confronting what no one is being made to answer for. Medical device manufacturers ship products with known vulnerabilities and face no legal consequences. Software vendors sell systems to hospitals without ongoing security support. The federal government mandates HIPAA compliance without funding the means to achieve it. Each of these actors could be held accountable. None of them are.
Addressing healthcare cybersecurity means addressing healthcare funding. Public investment in digital infrastructure. Regulatory requirements with funding attached, so mandates don’t become unfunded burdens on institutions already stretched past capacity. Vendor liability when negligence contributes to patient harm.
I’m not optimistic about the timeline. The medical device lobby is well-funded. The software industry has spent years resisting liability frameworks. Healthcare systems lack the political power of industries that receive generous government support. The patients who bear the costs are diffuse and unorganized. They will never trace their delayed treatment to a procurement decision made a decade ago by someone who no longer works at the hospital.
The problem is political before it is technical. The knowledge exists. The solutions exist. What’s missing is the will to impose costs on actors who benefit from the current arrangement.
The attack on AZ Monica will fade from public attention within weeks. Another hospital will be hit. Surgeries will be cancelled. Ambulances will be diverted. Some patients will die who would have survived otherwise.
We’ve seen this before. WannaCry in 2017. Düsseldorf in 2020. Universal Health Services that same year. Scripps Health in 2021, CommonSpirit in 2022, Ardent Health in 2023, Change Healthcare in 2024. The incidents accumulate. The lessons get restated. The funding doesn’t materialize. The pattern continues.
Ransomware against healthcare has become background noise, a level of preventable harm the system has quietly decided to absorb. The harm falls disproportionately on patients served by underfunded institutions, which means disproportionately on the poor, the rural, and the marginalized.
I don’t know what threshold of harm would change this. The deaths haven’t been enough. Maybe nothing will change until the people with the power to act are the ones dying in the dark.
Until then, hospitals will keep going dark. And in the dark, people will die.