Blog
← Back to Blog
March 05, 2026 general

Ten Years of Cybersecurity: From $17,000 Ransoms to 100 Million Patient Records

Ten year cybersecurity retrospective

In April 2016, we wrote about Hollywood Presbyterian Medical Center paying $17,000 in Bitcoin to ransomware attackers. It was shocking. A hospital, held hostage by criminals demanding cryptocurrency. The future, it turned out, was worse than anyone imagined.

Ten years later:

  • Ransomware payments average over $1 million
  • The largest healthcare breach exposed 100+ million patients' data
  • AI can clone any voice in seconds and generate perfect phishing at scale
  • Supply chain attacks can compromise thousands of organizations through a single vendor
  • Cyber warfare between nations is daily reality
  • A security software update crashed 8.5 million computers worldwide

And the defense against all of it? The same five things we recommended in 2016.

A Decade, Event by Event

2016: Ransomware arrives. Healthcare is the first target.

2017: WannaCry and NotPetya show ransomware can be weaponized at nation-state scale. Equifax loses 147 million SSNs.

2018: Cambridge Analytica proves data privacy matters. GDPR takes effect.

2019: Cities fall to ransomware. Baltimore, Riviera Beach, Lake City. Nobody is safe.

2020: COVID forces the world remote overnight. Security scrambles to keep up. SolarWinds reveals supply chain compromise.

2021: Colonial Pipeline pays $4.4 million over a reused password. Kaseya hits MSPs. Log4Shell proves open source dependencies are attack surfaces.

2022: Russia invades Ukraine. Cyber warfare goes hot. LastPass breach exposes password vault data.

2023: ChatGPT eliminates phishing indicators overnight. MGM loses $100 million to a phone call. MOVEit exposes 60 million records.

2024: Change Healthcare: no MFA on a Citrix portal, 100+ million patients. CrowdStrike: one faulty update, 8.5 million computers.

2025: AI deepfakes become standard attack tools. HIPAA proposes mandatory encryption and MFA. Law firms become the #1 ransomware target.

What We Got Right

Every major breach in the last decade was preventable with basic security controls. Every single one. MFA would have stopped Change Healthcare. Patching would have stopped WannaCry. Backup testing would have prevented every ransom payment. Training would have caught the MGM social engineering call.

The fundamentals work. They've always worked. They'll keep working.

What's Next

The next decade will bring quantum computing threats to current encryption, AI that can autonomously discover and exploit vulnerabilities, regulations that make security controls legally mandatory across all industries, and threats we haven't imagined yet.

The defense will still be: MFA, backups, patching, training, and incident response planning.

Ten years. Same five recommendations. Because they work. Here's to the next ten.