As is often the case, a frozen screen was the first indication that something was amiss at Good Samaritan. A nurse is attempting to access a medication chart. Instead of a discharge summary, a printer spits out an odd note. Before any of this became commonplace, the staff had stopped attempting to log in within hours and had resumed writing on paper, just as people had done decades before. These days, it’s difficult to ignore how frequently the story starts like this. A peaceful morning. a terminal that is locked. Then there was an excessive number of zeros in an email that nobody wanted to read.
Good Samaritan is neither the first nor the last small healthcare provider to be impacted. However, there’s something about this specific attack that feels more like a turning point than a singular incident. Large systems with hundreds of hospitals and billion-dollar earnings, such as Ascension, Change Healthcare, and Lurie Children’s, dominated the news for years. It was assumed—often unspoken—that smaller providers weren’t worth dealing with. In real time, that presumption is disintegrating.
A portion of the story is revealed by the figures from the previous year. According to data presented at a United Nations Security Council briefing, there were over 1,500 ransomware incidents in the United States in 2023, and ransom payments exceeded $1.1 billion. Dr. Tedros Adhanom Ghebreyesus of the World Health Organization referred to these attacks as “issues of life and death.” It’s not rhetorical to say that. Cyberattacks on hospitals have been linked by researchers to quantifiable increases in patient mortality. This finding should have altered the discourse, but it hasn’t, at least not where it matters most.
Good Samaritan is instructive because of how commonplace it is. a small staff. an outdated IT budget. A few part-time technicians handling everything from electronic health records to password resets. Every small healthcare facility in the nation has the same layout, whether it’s tucked away in an Arkansas strip mall or sharing a parking lot with a feed store in eastern Oregon. It’s not carelessness. It has to do with economics. Administrators feel that cybersecurity is a luxury line item, something you’ll take care of next quarter, once the boiler is fixed and the new EHR vendor has completed its rollout.
It appears that hackers are more aware of this than the providers. According to Dr. Tedros, the reasoning is unsettlingly straightforward: the more damage a ransomware group can cause, the more ransom it can demand. Decisions are made in minutes, not days, by a clinic that lacks access to patient records. Surgery is postponed. Ambulances are rerouted. Schedules for chemotherapy slip. Additionally, a small group of operators watches a timer countdown and waits somewhere in a different nation on a different continent.
Like most of these incidents, it’s possible that the Good Samaritan attack will quickly lose public attention. The $75 million Bitcoin payment made to Cencora earlier this year hardly reached the financial media. Within a news cycle, MediSecure’s breach in Australia, which exposed data on almost 13 million people, came and went. A certain level of fatigue is beginning to set in, which is problematic in and of itself because the attackers are counting on this.
Whether the smaller providers will view Good Samaritan as a warning or as background noise is still up in the air. The temptation will be to believe that someone else’s misfortune is somehow burdensome and that it cannot occur here. However, the providers continue to be selected virtually at random, and the pattern continues to recur. You get the impression that those in charge of small clinics are going to discover what the larger systems already know: there is no such thing as too small to attack. It’s just too little to heal.
