Cynthia Kaiser, former deputy assistant director of the FBI’s Cyber Division and now senior vice president at Halcyon’s Ransomware Research Center, delivered explosive testimony to the House Homeland Security Committee on Tuesday, April 21, 2026, arguing that ransomware attackers targeting hospitals should face murder charges under federal felony murder law when their actions result in patient deaths. Kaiser’s call to weaponize an existing legal doctrine against cybercriminals represents a dramatic escalation in how the US government views hospital-targeting ransomware — not as a financial crime, but as a potential homicide.
Key Takeaways
- Felony murder law allows homicide charges for deaths during dangerous felonies without requiring intent to kill
- University of Minnesota study documents at least 47 patient deaths from hospital ransomware attacks between 2016 and 2021
- Kaiser estimates the true death toll today is “almost certainly in the hundreds”
- Kaiser urges terrorism designations for ransomware groups knowingly targeting hospitals and critical life-safety infrastructure
- Federal prosecutors currently lack guidance to pursue homicide charges in ransomware cases, despite the legal foundation existing
Why ransomware attackers murder charges matter now
Hospital ransomware attacks have killed patients for years, yet attackers face only Computer Fraud and Abuse Act charges — felonies punishable by imprisonment, but far removed from homicide penalties. The disconnect between crime severity and legal consequences is the core problem Kaiser identifies. When a ransomware gang encrypts a hospital’s systems, patients are diverted to other facilities, dialysis treatments are delayed, and surgeries are canceled. Under those conditions, if a patient dies, should the attacker face murder charges? Kaiser argues yes. The gap between what these criminals do and what the law allows prosecutors to charge them with has widened as ransomware targeting hospitals has accelerated. This is not a theoretical debate — it is a prosecutorial roadmap for a crime already happening.
The legal theory behind ransomware attackers murder charges is straightforward: felony murder doctrine does not require the defendant to pull the trigger. A bank robber unarmed and lacking intent to kill can still face homicide charges if a police officer shoots a bystander during the robbery. The dangerous felony itself — the bank robbery — created the condition that led to death. Ransomware targeting hospitals operates under the same principle. The attacker creates a dangerous condition knowing it will disrupt life-saving care. If death results, the causal chain is unbroken.
How felony murder law applies to ransomware on hospitals
Felony murder under federal law permits murder charges for deaths occurring during the commission of certain dangerous felonies, without requiring proof that the defendant intended to kill anyone. The doctrine rests on the idea that committing a dangerous felony demonstrates reckless disregard for human life. Dr. Melissa Hamilton, a Professor of Law, confirmed that “most cybercrimes are felonies so if a death results, then I think felony murder is potentially appropriate”. Criminal defense attorney Ryan Blanch added that “under current US law if it’s abundantly foreseeable that a cyberattack might result in death (such as where the victim is a hospital or ER) the cyber attacker could be charged with murder”.
Kaiser’s testimony emphasizes foreknowledge — the attacker must know that targeting a hospital’s systems endangers life. That knowledge transforms a financial extortion into something more sinister. She stated: “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within those definitions [of terrorism]”. The foreknowledge element distinguishes a hospital attack from a ransomware campaign targeting a retail chain or logistics company. The attacker’s awareness of harm is the linchpin.
The death toll from hospital ransomware attacks
Kaiser cited a University of Minnesota study documenting at least 47 deaths attributable to hospital ransomware attacks between 2016 and 2021. That five-year window is now five years old. Based on the acceleration of hospital-targeting ransomware since 2021, Kaiser estimates “the true number…is almost certainly in the hundreds today”. The gap between documented deaths and estimated deaths reflects a grim reality: not every hospital attack resulting in a patient death is formally attributed to the ransomware in public reports. Some deaths are classified under medical complications. Others are buried in settlement agreements or litigation confidentiality clauses. The true toll remains hidden.
This body count distinguishes hospital ransomware from other cybercrimes. A ransomware attack on a financial services firm or a manufacturing plant causes economic damage and operational disruption. A ransomware attack on a hospital causes death. That categorical difference is why Kaiser argues prosecutors should treat it differently under the law. She told Congress: “The gap between the severity of these crimes and the consequences that follow needs to close”. Without homicide charges as an option, prosecutors are forced to pursue lesser offenses that fail to reflect the gravity of the harm.
What Kaiser is asking the government to do
Kaiser urges the US State, Justice, and Treasury departments to evaluate terrorism designations for ransomware actors knowingly targeting hospitals and critical life-safety infrastructure. Terrorism designations carry their own legal weight, including asset freezing and financing restrictions. She also proposes leveraging Bush-era terror financing authority and the 2002 Terrorism Risk Insurance Act to apply designations and ensure hospital insurance coverage for cyber damages. These moves would operate in parallel to homicide prosecutions, creating multiple legal avenues to hold attackers accountable.
More immediately, Kaiser calls on federal prosecutors to be “empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life”. This is not a call for new legislation. The legal tools exist. What is missing is prosecutorial guidance and political will. Prosecutors need explicit direction from the Justice Department that homicide charges are within scope for hospital-targeting ransomware cases with documented deaths. Without that signal, prosecutors will default to Computer Fraud and Abuse Act charges — the familiar, tested route.
Why this approach differs from current ransomware prosecution
Today, ransomware attackers face federal charges under 18 U.S. Code § 1030, the Computer Fraud and Abuse Act, which treats ransomware as a cybercrime felony. Sentences can stretch years, but they are capped by the statute’s maximum penalties, typically ranging from 10 to 20 years depending on aggravating factors. Felony murder, by contrast, carries potential life sentences or death penalties in some states. The severity gap is enormous. Kaiser’s argument is that the law already permits the harsher charge — prosecutors simply have not used it. Applying felony murder to hospital ransomware would not require new legislation, only a shift in prosecutorial strategy and DOJ guidance.
Is felony murder the right tool for ransomware?
The proposal is not without skepticism. Some legal scholars worry that extending felony murder to cybercrime sets a precedent that could broaden the doctrine beyond its intended scope. Others question whether “foreknowledge” of harm is sufficiently proven in ransomware cases, where attackers operate from jurisdictions outside US reach and may not directly communicate with hospital staff. Still, Kaiser’s core argument is sound: if the attacker knows the target is a hospital, knows the attack will disrupt care, and a patient dies as a result, the causal and intentional elements of felony murder are satisfied. The legal theory is not novel — it is an application of existing doctrine to a new crime.
FAQ
Can ransomware attackers actually be charged with murder under current US law?
Yes. Felony murder doctrine exists in federal law and does not require the defendant to intend to kill — only to commit a dangerous felony that results in death. The legal foundation is already present. What is missing is prosecutorial guidance and political will to apply it to ransomware cases.
How many people have died from hospital ransomware attacks?
A University of Minnesota study documented at least 47 deaths between 2016 and 2021. Cynthia Kaiser estimates the true number today is “almost certainly in the hundreds,” reflecting the acceleration of hospital-targeting attacks and underreporting of deaths linked to ransomware.
What is the difference between felony murder and manslaughter charges?
Felony murder typically carries greater penalties than manslaughter, including potential life sentences or death penalties in some states, whereas manslaughter penalties are generally lower. Felony murder does not require proof of intent to kill, only that death resulted from a dangerous felony.
Kaiser’s testimony marks a turning point in how the US government views hospital-targeting ransomware. It is no longer merely a financial crime or a data breach — it is a life-threatening attack on critical infrastructure that should carry the same legal weight as other crimes that kill. Whether prosecutors adopt her recommendation remains to be seen, but the argument is now on the record before Congress, and the legal foundation is solid. The next ransomware gang that targets a hospital and causes a patient death may face charges far more serious than they anticipated.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
