Apr 27, 2026 · 7 min read
A Former FBI Cyber Chief Says Hospital Ransomware Should Be Prosecuted as Terrorism—Congress Is Listening
Cynthia Kaiser spent 20 years at the FBI chasing cybercriminals. Now she wants ransomware gangs that target hospitals designated as terrorists and charged with murder when patients die.
460 Hospital Attacks in One Year
In February 2026, a ransomware attack forced clinics across Mississippi to close. Surgeries were cancelled. Patients were diverted. It was one of 460 ransomware attacks on hospitals and medical facilities that the FBI recorded in 2025, nearly double the 238 attacks documented in 2024. Healthcare overtook every other sector to become the single most targeted industry for ransomware.
On April 21, 2026, Cynthia Kaiser sat before a joint session of two House Homeland Security Committee subcommittees and laid out a proposal that would fundamentally change how the United States prosecutes ransomware. Kaiser served as deputy assistant director of the FBI's Cyber Division from 2022 to 2025, overseeing the agency's most sensitive cybercrime investigations. She is now senior vice president at Halcyon's Ransomware Research Center.
Her argument was blunt: "They have simply decided these deaths are someone else's problem."
The Terrorism Proposal
Kaiser proposed that the Departments of State, Justice, and Treasury formally evaluate whether ransomware groups that target hospitals qualify for designation as terrorist entities under Executive Order 13224, the post 9/11 authority originally created to combat terrorism financing.
A terrorism designation would unlock tools that go far beyond traditional cybercrime prosecution. It would enable asset freezes on the attackers' cryptocurrency holdings, material support charges against anyone who assists them, enhanced intelligence collection authorities, and diplomatic pressure on countries that harbor them. It would also potentially bring ransomware attacks within the scope of the Terrorism Risk Insurance Act of 2002, which could provide hospitals with financial coverage for cyber damages.
Kaiser's legal reasoning centers on the nature of the coercion. When a ransomware gang encrypts a hospital's systems and demands payment under threat of continued lockout, knowing that patients are being diverted, dialysis is being delayed, and surgery schedules are being cancelled, she argues that conduct meets the statutory definitions of terrorism.
The Murder Charges Proposal
Kaiser's second proposal is even more aggressive: federal prosecutors should evaluate whether felony murder charges are appropriate when ransomware attacks on hospitals result in patient deaths. Under felony murder statutes, a defendant does not need to have directly caused the death. If a death occurs during the commission of a dangerous felony, the person committing the felony can be charged with murder.
As Kaiser told lawmakers: "Felony murder law does not require that a defendant pull the trigger."
A 2023 University of Minnesota study estimated that dozens of Medicare patients died as a result of hospital ransomware attacks. Kaiser told Congress that the true number of lives lost "is almost certainly in the hundreds." In 2020, German authorities opened a negligent homicide investigation after a ransomware attack on Dusseldorf University Hospital forced paramedics to divert a patient to a hospital 20 miles away. She died en route. Prosecutors ultimately declined to bring charges, citing difficulty proving that the diversion directly caused the death.
Congress Appears Receptive
Lawmakers from both parties signaled openness to the proposals. Representative Michael Guest, the Mississippi Republican who chairs the Border Security and Enforcement subpanel, stated: "I believe there are no penalties too severe for individuals that would target our health care system." Guest's own state had just experienced the February 2026 hospital attack that closed clinics across Mississippi.
Representative Lou Correa, the top Democrat on Guest's subcommittee, noted that the legal framework already exists: "It sounds like the language is there, it just has not been applied in these circumstances." The fiscal 2025 Senate intelligence authorization bill had already drawn a direct link between ransomware and terrorism, though the final version softened the language.
The Trump administration's national cyber strategy has emphasized offensive approaches to hackers, and the Treasury Department has requested public feedback on whether the terrorism risk insurance program should be modified to cover cyber damages, suggesting the idea has traction beyond Capitol Hill.
Why Hospitals Are Targeted
Hospitals make ideal ransomware targets because they cannot afford downtime. When systems go offline, patient care degrades immediately. Emergency rooms divert ambulances. Lab results become inaccessible. Drug interaction checks fail. The pressure to pay is enormous, and ransomware gangs know it.
The doubling of attacks from 238 to 460 in a single year reflects a deliberate strategic shift by ransomware operators toward targets with the least tolerance for disruption. The NHS Synnovis ransomware attack that is still disrupting London hospitals almost two years later illustrates how long the damage can persist. In the United States, the 2024 Change Healthcare attack disrupted healthcare systems nationwide and is considered one of the most consequential cyberattacks in American history.
Healthcare providers also carry massive stores of sensitive personal data. Patient records include Social Security numbers, insurance information, medical histories, and contact details. When that data is stolen and leaked, patients face identity theft, insurance fraud, and the exposure of private medical conditions. The Covenant Health breach saw 478,000 patients wait seven months to be told their medical records were stolen.
What Happens Next
Kaiser's proposals face significant practical obstacles. Designating a ransomware group as a terrorist organization requires identifying specific individuals and organizational structures, which is difficult when the attackers operate from Russia or other non cooperative jurisdictions. Felony murder charges require arresting the defendants, which has historically been the hardest part of ransomware prosecution.
But the hearing marks a turning point in how policymakers frame ransomware. For years, hospital cyberattacks were treated as a law enforcement problem or a business continuity issue. Reframing them as acts of terrorism and potential homicides changes the calculus entirely. It opens new funding streams, new legal authorities, and new diplomatic leverage.
Whether Congress acts on Kaiser's proposals may depend on the next major hospital attack. With 460 attacks in 2025 and the pace still accelerating, the question is not whether another devastating incident will occur, but when.