The healthcare industry, seemingly constantly embattled when it comes to cyberattacks, can’t catch a break.

Facilities have been slowed by ransomware in particular over the last several years, a threat that can severely drain an organization’s resources, including downtime and especially funds.

While attackers didn't get nearly this much, the average initial ransomware demand for healthcare companies in 2020 was a whopping $4,583,090.

That’s according to BakerHostetler, a law firm that releases an annual report that looks at data security incidents at companies the firm represents.

Overall, at least at companies it worked with, ransoms demanded and paid increased drastically. There were only 15 different threat actors/variants in 2019, compared to 75 last year, something which could say more about the commoditization of ransomware gangs and ransomware-as-a-service in general.

While paying attackers is ill-advised - agencies including the U.S. Department of Health and Human Services, the Federal Bureau of Investigation and others have gone on record urging against paying ransoms – it still happens. According to the law firm, whose report is dubbed the Data Security Incident Response (DSIR) Report, the average ransom payout in the healthcare industry was $910,335, a number that certainly isn’t as high as the $4 million figure but still a sizeable chunk of change.

Still, the number is high, more than four times the average ransom payment across all sectors in Q1 2021, a number that's around $220,000 according to Coveware, a company that performs ransomware incident response but also aggregates ransomware case data. Data theft is the norm, not an outlier, according to the firm's latest quarterly report, issued last month.

“Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data,” it said in the report, adding that 77% percent of all of the threats it observed included the threat to leak exfiltrated data

These sums don’t include what it costs the healthcare facilities to hire an incident response team to remediate the problem by coming in to assess the scope of the intrusion. The average cost of that in 2020 was $58,963, according to BakerHostetler’s report.

Ransomware is behind some of the numbers in Verizon’s annual Data Breach Investigations Report, or DBIR, as well.

The report, which incorporated responses from 83 different organizations, looked at nearly 30,000 security incidents around the globe; 5,258 of them were data breaches. 655 of those incidents were from the healthcare industry.

Like last year, financially motivated hackers were responsible for most of the attacks (91%) on the healthcare industry, with ransomware "being a favored tactic." Elsewhere, across other industries, ransomware saw a marked uptick when it came to its role in manufacturing breaches - it surpassed denial of service attacks and phishing. Overall; it accounted for 5% of the incidents Verizon looked at.