Hospitals face another hazard from cyberattacks: credit downgrades

Hospitals have to guard against cyberattacks to protect their patients and avoid long and costly disruptions.

Fitch Ratings has lowered the credit ratings of two hospitals due to the financial fallout from cyberattacks. Other hospitals could see downgrades if they see costs pressures from breaches, Fitch says.

Now, hospitals and health systems need to consider another consequence if they suffer a breach: the possibility of damage to their credit.

Recently, Fitch Ratings says it has lowered the ratings for two nonprofit hospitals: Palomar Health in California and Frederick Health Hospital in Maryland.

Many hospitals have suffered cyberattacks in recent years, and Fitch Ratings notes that those attacks haven’t typically had an impact on their ratings.

But cyberattacks can be especially problematic for smaller providers that don’t have the resources of some larger health systems.

In downgrading Frederick Health and Palomar, Fitch noted that the two systems have been weathering financial challenges.

“Both providers are comparatively smaller with relatively weaker balance sheets and limited cushion for additional stress,” Fitch said.

Fitch has lowered Palomar’s ratings twice in the past few months, in December 2024 and again in March 2025. Its rating dropped from a “BB+” to a “B-” over the course of those four months. Fitch noted Palomar’s “pressured financial performance, which was exacerbated by a significant cyber event whose recovery lasted several months and severely disrupted operations and key billing functions.”

Kevin Holloran, senior director and leader of Fitch’s nonprofit healthcare group, said in a January webinar that Palomar is the first hospital to receive a downgrade tied to a cyberattack. “That's the first time we've seen an impact from cyber really raise the level of having an impact on the rating,” he said.

Fitch downgraded from “BBB+” to “BBB” in February 2025 due to its lagging financial rebound. The downgrade also reflects the questions surrounding the long-lasting impacts of a recent cyberattack.

“Fitch believes the attack and potentially prolonged recovery may lead to a heightened level of stress and weaken financial metrics,” the group said.

Hospitals need to take steps to bolster their cybersecurity and their ability to respond and recover from a cyberattack, Fitch says. If hospitals see extended disruptions and weakened financial performance due to an attack, Fitch said they could see a downgrade.

“Fitch may take negative rating action if a hospital’s financial profile is deemed to be materially impaired, or at risk for impairment, in the aftermath of a cyber event,” Fitch said.

Hospitals typically can weather the disruption of a cyberattack if they have sufficient financial reserves, Fitch says.

But cyberattacks bring long-term costs that go beyond the breach. Health systems may end up spending more on bolstering equipment or paying higher premiums for cybersecurity insurance, Fitch notes. Health systems may also find themselves hiring more staff for cybersecurity.

Rural hospitals are facing substantial risks from cyberattacks, according to a Microsoft report released this month.

Hospitals lose $1.9 million per day, on average, for each day of downtime following a ransomware attack, according to the Microsoft report. The typical ransomware attack can leave hospitals without access to key electronic services, including electronic health records, for up to 18 days, the report stated.

Retired Army General Paul Nakasone, the former leader of the U.S. Cyber Command, noted the dangers to smaller facilities at the HIMSS Global Health Conference & Exhibition earlier this month.

“These rural hospitals have limited funds, have limited capabilities, and they are often the target of ransomware actors,” Nakasone said.

The average cost of a healthcare data breach is $9.7 million, according to a report from IBM Security released last July.

Hundreds of hospitals and healthcare organizations have suffered cyberattacks in recent years. Cybersecurity experts note that many hospitals experience attacks tied to breaches and vulnerabilities with their vendors.

John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said 259 million Americans were impacted by breaches of health data in 2024.

At the HIMSS conference, Riggi said, “Cyberattacks against healthcare have increased dramatically, actually exponentially, since 2020.”