Congress Considers Harsher Penalties for Ransomware Attacks on Hospitals, Including Terrorism Designations and Homicide Charges

Lawmakers at a hearing on Tuesday examined ways to strengthen punishments for ransomware attacks targeting hospitals, including potential terrorism designations and homicide charges in fatal cases.

One proposal, floated during a House Homeland Security Committee hearing, suggests treating ransomware attacks as acts of terrorism. This idea has been considered by Congress in the past. Another proposal would encourage prosecutors to pursue homicide charges in cases where ransomware attacks on hospitals result in death—a concept previously explored by German authorities.

Former FBI cyber official Cynthia Kaiser, now senior vice president of the Halcyon ransomware research center, presented both ideas during the hearing. The meeting was a joint session of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection, focusing on cybercrime.

“I believe there are no penalties too severe for individuals that would target our health care system.”

Rep. Michael Guest of Mississippi, chair of the border subcommittee, made the statement. His home state’s healthcare clinics were forced to close in February following a ransomware attack.

The proposals come amid a sharp rise in ransomware attacks on the healthcare sector. According to FBI statistics, incidents nearly doubled from 238 in 2024 to 460 in 2025, making healthcare the most targeted sector.

Kaiser argued that terrorism designations from the State, Treasury, and Justice departments could lead to additional sanctions, travel restrictions, and other penalties. She also suggested that Justice Department guidance on homicide charges could clarify its authority in such cases.

“It sounds like the language is there, it just has not been applied in these circumstances.”

Rep. Lou Correa of California, the top Democrat on Rep. Guest’s subpanel, made the comment.

The push to link cyberattacks with terrorism has gained traction in both Congress and the executive branch. The fiscal 2025 Senate intelligence authorization bill initially included language directly tying ransomware to terrorism, though the final version of the bill was less explicit. Last month, the Treasury Department sought public feedback on updating a terrorism risk insurance program to address cyber-related losses.

A 2023 study by the University of Minnesota estimated that hospital ransomware attacks contributed to dozens of deaths among Medicare patients. In 2020, German authorities opened a negligent homicide investigation following a death linked to a ransomware attack but ultimately declined to press charges.

The Trump administration’s national cyber strategy supports a more aggressive approach to combating hackers. On the same day the strategy was published, the administration released an executive order on cybercrime and fraud. Kaiser noted that the proposals align with these broader strategies.

“Hackers know their attacks could end lives,” Kaiser said. “They have simply decided these deaths are someone else’s problem.”