This article highlights the increase in cyber-attacks on medical institutions. This news article argues that the increase came to light around 2018. In October of that year, a municipal hospital in Uda, Nara Prefecture, was infected with ransomware that kept the hospital from accessing the medical charts of more than 1,000 patients. In December 2020, facilities at Fukushima Medical University in Japan faced a ransomware attack, and their CT system had a temporary glitch. However, the hospital did not file a report with the Ministry of Health, Labour and Welfare or the police because the hospital “determined” (≈ assumed) that the virus infection did not harm the electronic medical record system or caused any external patient information leakage. Thus, a detailed investigation into the infection route was not conducted, and patients were told to take their CT scans again without any formal explanations. Not only does this case reflect the lack of guidelines on public-private cybersecurity arrangements for medical institutions, but it also reflects how institutions do not get penalized for not reporting to the government sector after cyber breaches. While in 2005, the Health, Labor and Welfare Ministry drew up guidelines on cybersecurity for medical institutions and urged them to devise countermeasures, this article clearly shows how Japanese medical institutions have not established a strong cyber resilience measure.