The argument is no longer coming from advocates or academics. It is coming from someone who spent a career inside the Bureau — and it deserves a serious response from every healthcare provider in America.
A former deputy assistant director of the FBI’s Cyber Division has publicly called for ransomware attacks on healthcare providers to be reclassified as terrorism offenses. The proposal is pointed: attackers who target hospitals, nursing facilities, and cancer centers do so knowing full well that their actions put patients at direct risk. That, the argument goes, is not cybercrime. It is an attack on civilian life.
For healthcare compliance officers and executives, this is more than a policy debate. It is a signal about where federal thinking on healthcare cybersecurity is heading — and what that means for how providers should assess and communicate their own risk.
Why “Cybercrime” Is the Wrong Frame
Under current federal law, ransomware prosecutions proceed primarily through the Computer Fraud and Abuse Act and wire fraud statutes. The recent convictions of BlackCat affiliates Ryan Goldberg and Kevin Martin — sentenced to four years each in May 2026 — illustrate both the progress and the limits of this approach.
Four years is a real consequence. It is also a modest one for attacks that generated millions in ransom payments while threatening patient safety across multiple healthcare targets. Compare that to sentences routinely handed down under federal terrorism statutes, which carry mandatory minimums of 20+ years and trigger a separate tier of investigative authority, asset seizure powers, and international law enforcement cooperation.
The practical gap between “cybercriminal” and “terrorist” is not just rhetorical. It changes what prosecutors can charge, what sentences judges can impose, and critically, what deterrent signal the government sends to the global affiliate ecosystem that fuels these attacks.
“Ransomware actors who attack healthcare providers do so in full knowledge that the attacks put patient safety at risk. It is time for the government to class the attacks as terrorism offenses.” — Former FBI Cyber Division Deputy Assistant Director
The Patient Safety Case Is Already Made
The argument for terrorism classification does not rest on legal theory alone. It rests on documented outcomes.
Ransomware attacks on hospitals have delayed emergency care, forced ambulance diversions, cancelled surgeries, disrupted chemotherapy schedules, and in several documented cases contributed to patient deaths — including a case in Germany where a woman died after being diverted from a ransomware-affected hospital to a facility 32 kilometers away. A 2021 study published in JAMA Network Open found measurable increases in in-hospital mortality rates at hospitals near those experiencing cyberattacks, as patients were redirected to already-strained facilities.
An attack that predictably endangers civilian life, carried out deliberately against a protected civilian institution, at minimum invites the comparison to terrorism — even if existing statutes do not straightforwardly apply. While federal terrorism frameworks vary significantly in how they define motive and intent, the practical debate is increasingly less about ideology and more about whether deliberate attacks on civilian healthcare infrastructure that predictably endanger lives should trigger a terrorism-level investigative and prosecutorial response.
What This Means Operationally for Providers
Whether Congress moves toward terrorism reclassification in the near term or not — and given the current legislative environment, meaningful movement is uncertain — the underlying argument has direct implications for how providers should position their cybersecurity posture.
| Reframe the board conversation. The FBI’s framing gives compliance and security leaders a powerful new tool for internal advocacy. This is not an IT budget request. It is a question of whether your organization is a soft target for what federal law enforcement now considers a threat to civilian safety. Boards respond differently to existential framing than to technical risk matrices. |
| Prepare for stricter federal standards. The direction of HHS and OCR policy is clearly toward greater mandatory cybersecurity requirements for covered entities. The Biden-era proposed updates to the HIPAA Security Rule — including mandatory asset inventories, network segmentation requirements, and annual vulnerability testing — signaled this shift. The terrorism debate accelerates political pressure for binding standards rather than voluntary guidance. |
| Document your threat model accordingly. If ransomware groups are increasingly characterized as organized criminal enterprises with potential terrorism exposure — as the BlackCat prosecutions and this FBI framing suggest — your risk assessments, board reports, and cyber insurance disclosures should reflect that characterization. It affects how insurers price coverage, how regulators assess preparedness, and how juries evaluate negligence in the event of litigation. |
The Signal Beneath the Proposal
The FBI official’s statement is not a lone voice. It reflects a growing consensus among federal law enforcement, national security agencies, and healthcare regulators that the current legal framework is calibrated for a threat that no longer matches the reality. BlackCat, LockBit, ALPHV, and their successors are not opportunistic hackers. They are structured criminal enterprises running affiliate programs, maintaining negotiation infrastructure, and deliberately targeting institutions where operational disruption maximizes ransom leverage.
When those institutions are hospitals, the leverage comes directly from patient vulnerability. Critics of the current framework argue that treating these attacks primarily as financial crimes may underestimate their real-world impact on patient safety and public health infrastructure.
The proposal is not without its critics. Civil liberties advocates and legal scholars have raised legitimate concerns about expanding terrorism statutes to cover financially motivated cybercrime — noting the risk of overbroad prosecutorial power, the difficulty of drawing a principled line between ransomware and other forms of extortion, and the due process implications of terrorism designations. Some argue that aggressive use of existing CFAA and conspiracy statutes, combined with international law enforcement cooperation, may be sufficient without triggering the full machinery of terrorism law. These are serious objections that any legislative effort would need to address.
For healthcare providers, the practical implication is clear regardless of how the legal debate resolves: the federal government is moving toward treating your cybersecurity posture as a matter of national and public health security. The organizations that adapt to that reality now will be in a fundamentally stronger position — legally, operationally, and ethically — than those that wait for the statutory change to force the issue.
Sources
- HIPAA Journal — Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors https://www.hipaajournal.com/
- HIPAA Journal — American Cybersecurity Professionals Given Jail Terms for BlackCat Ransomware Attacks https://www.hipaajournal.com/u-s-nationals-indicted-blackcat-ransomware-attacks/
- JAMA Network Open — Association of Ransomware Attacks With Disruptions at Nearby Hospitals (2021) https://jamanetwork.com/journals/jamanetworkopen
- HHS Office for Civil Rights — Proposed Modifications to the HIPAA Security Rule (2024) https://www.hhs.gov/hipaa/for-professionals/security/index.html
- U.S. Department of Justice — Computer Fraud and Abuse Act (18 U.S.C. § 1030) https://www.justice.gov/criminal/cybercrime
Discover more from Doctor Trusted
Subscribe to get the latest posts sent to your email.
