Ransomware attacks involve hackers locking people out of their own data and demanding a payoff to regain access. But when patient data is held for ransom for hours or months, lives are on the line.
A new report by Comparitech identified 172 ransomware attacks on U.S. health care groups since 2016.
Those attacks cost an estimated $157 million in downtime and delayed treatment for more than 6 million patients.
Comparitech editor Paul Bischoff says companies should minimize human error through training.
"The second thing is creating backups regularly and, soon as the backup's completed, they're on a separate storage network that's not connected to the rest of the hospital's network, so it can't get infected," he said.
In Arizona, three attacks affected nearly 12,000 people and totaled $2.7 million to $4.2 million in downtime.
The victims included a cosmetic surgery provider, a retirement community and a clinic.
The study based its tallies on the states in which a medical company was headquartered.
California accounted for 14.5% of the attacks, but the state is also home to 12% of the U.S. population and a high concentration of health care providers.
By contrast, Michigan providers suffered only five ransomware attacks but saw 1.1 million people affected by just two incidents: one at a medical supply company, the other at a medical billing company.
Both have clients located in more than one state.