On a Tuesday morning in March 2024, staff at a 12-physician family practice in Ohio arrived to find their EHR completely inaccessible. Every patient record, every schedule, every billing file — locked. A ransom note on the screen demanded $180,000 in Bitcoin within 72 hours.
The practice had no usable backups. They paid. It still took three weeks to fully restore operations. The total cost, including the ransom, recovery work, staff overtime, and lost revenue, exceeded $400,000.
This is not an unusual story. Healthcare has been the most targeted industry for ransomware for five consecutive years. Small and mid-size practices are hit just as often as large health systems — sometimes more often, because attackers know smaller organizations are less likely to have dedicated security staff.
This guide explains how ransomware attacks actually work, what they cost medical practices specifically, and the concrete steps that meaningfully reduce your risk.
- What ransomware is and how it works
- How attackers get into medical practices (the three main entry points)
- What a ransomware attack actually costs
- Your HIPAA obligations when ransomware strikes
- The 7 controls that stop most ransomware attacks
- What to do if you are hit right now
What Ransomware Is and How It Works
Ransomware is malicious software that encrypts files on a computer or network, making them completely inaccessible, then demands payment to provide the decryption key. Modern ransomware is typically operated by criminal organizations that run it as a subscription business — selling access to other criminals in exchange for a cut of the ransom (a model called “Ransomware-as-a-Service”).
A typical ransomware attack against a medical practice follows a predictable sequence:
How Attackers Get Into Medical Practices
Understanding the entry points is the most important step toward prevention. The vast majority of ransomware attacks on medical practices use one of three vectors:
1. Phishing Emails
A staff member receives an email that looks like it is from a vendor, insurance company, or colleague. The email contains a link or attachment. Clicking it either installs malware directly or captures login credentials that the attacker uses to gain access. Roughly 70% of ransomware attacks begin with a phishing email.
Medical practice staff are particularly targeted because they regularly receive attachments from unfamiliar senders: patient referrals, lab results, insurance correspondence. Attackers craft emails that mimic exactly these scenarios.
2. Exposed Remote Desktop Protocol (RDP)
Remote Desktop Protocol allows staff or IT vendors to access practice computers remotely. Many practices set up RDP without strong security controls — no MFA, default ports, weak passwords. Attackers scan the internet continuously for exposed RDP ports and brute-force their way in. Once inside via RDP, they have full control of that machine and can move through the network.
If your practice has RDP enabled and exposed directly to the internet without MFA and a VPN, this is one of the highest-risk configurations possible.
3. Unpatched Software Vulnerabilities
Software vulnerabilities are publicly disclosed regularly. When a critical patch is released, attackers immediately begin scanning for systems that have not applied it. Medical practices that run old operating systems (Windows 7, Windows Server 2008) or delay patching — often because updates disrupt clinical workflows — are particularly exposed. Healthcare has the longest average time-to-patch of any regulated industry.
What a Ransomware Attack Actually Costs
The ransom demand is only one line item. Here is the full picture:
| Cost Category | Typical Range (Small Practice) |
|---|---|
| Ransom payment | $50,000 – $500,000 |
| IT recovery & forensics | $25,000 – $150,000 |
| Downtime & lost revenue | $10,000 – $50,000 per day |
| HIPAA breach notification | $5,000 – $50,000 |
| Legal fees | $15,000 – $100,000 |
| OCR fines (if HIPAA violations found) | $10,000 – $1,000,000+ |
| Total | $200,000 – $2,000,000+ |
The average downtime for a healthcare ransomware attack is 18 days. For a small practice that cannot see patients or process billing during that time, the financial consequences can be existential.
Your HIPAA Obligations When Ransomware Strikes
Many practice owners assume a ransomware attack is an IT problem, not a HIPAA problem. This is wrong. Under HIPAA, a ransomware attack is presumed to be a reportable breach unless you can demonstrate the data was not accessed or exfiltrated — a very high bar to clear after the fact.
If ransomware encrypts ePHI in your systems, you are likely required to:
Notify affected patients within 60 days of discovering the breach. If more than 500 patients in a state are affected, you must also notify prominent media outlets in that state.
Notify HHS OCR within 60 days. If fewer than 500 patients are affected, you can submit to OCR within 60 days of the end of the calendar year.
Conduct a forensic investigation to determine what was accessed and how, which is required for the breach assessment. This must be documented.
OCR has made clear that practices with weak security controls — no MFA, no encryption, no risk analysis, no backups — face significantly higher penalties when a breach occurs.
The 7 Controls That Stop Most Ransomware Attacks
The good news: the majority of ransomware attacks are preventable with well-known controls. Here are the seven highest-impact steps, in priority order:
What to Do If You Are Hit Right Now
If you suspect ransomware is active in your network right now, every minute matters. Here is the immediate sequence:
The Honest Bottom Line
Ransomware is not a problem that medical practices can ignore or defer. It is the most common and most financially devastating cyber threat in healthcare, and small practices are actively targeted.
The controls that prevent most attacks are not exotic or expensive. MFA, isolated backups, patching, and staff training — these are achievable for any practice. The gap between “attacked and destroyed” and “attacked and stopped” is almost always whether these basics were in place.
If you do not know whether your practice has these controls in place, that uncertainty is itself a risk that needs to be addressed.