Harsher Penalties on the Table as Hospital Ransomware Surges
During a congressional hearing held on Tuesday, members of the House Homeland Security Committee debated whether existing penalties for ransomware attacks targeting hospitals are severe enough — and examined proposals that could fundamentally reclassify such attacks under far more serious criminal categories. The session was a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection, focused specifically on the escalating threat of cybercrime against critical health infrastructure.
Two particularly striking proposals emerged during the hearing: first, that ransomware attacks on hospitals should be designated as acts of terrorism; and second, that federal prosecutors should be encouraged to pursue homicide charges in cases where a patient death can be linked to a ransomware-induced disruption. Both ideas were advanced by Cynthia Kaiser, a former senior FBI cyber official who now serves as senior vice president of the Halcyon ransomware research center.
FBI Data Reveals Healthcare as the Top Ransomware Target
The urgency behind the proposals is underscored by stark statistics. According to FBI figures cited at the hearing, ransomware incidents targeting the healthcare sector nearly doubled — rising from 238 attacks in 2024 to 460 in 2025 — making it the single most targeted industry. That trajectory alarmed lawmakers on both sides of the aisle.
Rep. Michael Guest of Mississippi, who chairs the border subcommittee, expressed unambiguous support for stricter measures. His home state saw healthcare clinics forced to close following a ransomware attack in February, lending a personal dimension to his stance.
"I believe there are no penalties too severe for individuals that would target our health care system," said Rep. Guest.
Terrorism Designations: What Would They Mean in Practice?
Kaiser explained that formally designating hospital ransomware attacks as terrorism — through coordinated action by the State Department, the Treasury Department, and the Justice Department — could unlock a broader toolkit of consequences for perpetrators. These would include expanded sanctions regimes, restrictions on international travel, and additional punitive measures currently reserved for designated terrorist actors.
The concept is not entirely new territory for Congress. The fiscal 2025 Senate intelligence authorization bill included language that would have directly linked ransomware to terrorism, although the final version of the legislation that was ultimately signed into law was less explicit than what the Senate originally proposed. More recently, the Treasury Department opened a public comment period last month on whether to modify a terrorism risk insurance program to account for cyber-related financial losses.
Homicide Charges: Legal Basis Already Exists?
The homicide charge proposal generated considerable discussion. Kaiser argued that the legal language needed to support such prosecutions may already exist — it simply has not been applied in the context of ransomware-related deaths.
Rep. Lou Correa of California, the ranking Democrat on Guest's subpanel, appeared receptive to this interpretation.
"It sounds like the language is there, it just has not been applied in these circumstances," said Rep. Correa.
The idea has international precedent, at least in terms of intent. In 2020, German authorities launched a negligent homicide investigation following a patient death that occurred in the aftermath of a ransomware attack on a hospital. Investigators ultimately decided against filing charges, but the case established a conceptual framework for linking cyber disruptions to criminal liability for loss of life.
In the United States, a 2023 study from the University of Minnesota estimated that ransomware attacks on hospitals were responsible for the deaths of dozens of Medicare patients — providing academic grounding for the argument that these attacks carry lethal consequences.
Alignment with the Trump Administration's Cyber Strategy
Kaiser framed both proposals as consistent with the Trump administration's recently released national cyber strategy, which advocates for a more aggressive, offensive posture toward malicious hackers. The administration released an executive order targeting cybercrime and fraud on the same day it published that strategy, signaling an intent to escalate the government's response.
Kaiser emphasized that ransomware operators are fully aware their attacks can — and do — cost lives. In her view, the attackers have made a calculated moral choice to ignore those consequences.
"They have simply decided these deaths are someone else's problem," Kaiser said.
What Comes Next
No legislation was introduced or voted on during Tuesday's hearing, but the discussion signals growing bipartisan momentum toward treating healthcare-targeted ransomware as something qualitatively different from ordinary cybercrime. Whether Congress moves to formally codify terrorism designations, issue guidance on homicide prosecutions, or pursue some other legislative remedy remains to be seen — but the political will to act appears to be strengthening as the human cost of these attacks becomes harder to ignore.
- Ransomware attacks on U.S. hospitals climbed from 238 in 2024 to 460 in 2025, per FBI data.
- A University of Minnesota study (2023) linked hospital ransomware attacks to dozens of Medicare patient deaths.
- German investigators opened — then dropped — a negligent homicide case tied to a hospital ransomware attack in 2020.
- The Trump administration's cyber strategy and an accompanying executive order both favor more aggressive responses to cybercriminals.
Source: CyberScoop