Skip to main content

Ransomware and Medical Practices: How Attacks Happen, What They Cost, and How to Protect Your Practice

Ransomware attacks on medical practices - cybersecurity guide 2026
Cybersecurity & HIPAA
Healthcare is the most targeted industry for ransomware. Here is exactly what happens during an attack — and the specific steps that prevent it.

On a Tuesday morning in March 2024, staff at a 12-physician family practice in Ohio arrived to find their EHR completely inaccessible. Every patient record, every schedule, every billing file — locked. A ransom note on the screen demanded $180,000 in Bitcoin within 72 hours.

The practice had no usable backups. They paid. It still took three weeks to fully restore operations. The total cost, including the ransom, recovery work, staff overtime, and lost revenue, exceeded $400,000.

This is not an unusual story. Healthcare has been the most targeted industry for ransomware for five consecutive years. Small and mid-size practices are hit just as often as large health systems — sometimes more often, because attackers know smaller organizations are less likely to have dedicated security staff.

This guide explains how ransomware attacks actually work, what they cost medical practices specifically, and the concrete steps that meaningfully reduce your risk.

In This Article
  • What ransomware is and how it works
  • How attackers get into medical practices (the three main entry points)
  • What a ransomware attack actually costs
  • Your HIPAA obligations when ransomware strikes
  • The 7 controls that stop most ransomware attacks
  • What to do if you are hit right now

What Ransomware Is and How It Works

Ransomware is malicious software that encrypts files on a computer or network, making them completely inaccessible, then demands payment to provide the decryption key. Modern ransomware is typically operated by criminal organizations that run it as a subscription business — selling access to other criminals in exchange for a cut of the ransom (a model called “Ransomware-as-a-Service”).

A typical ransomware attack against a medical practice follows a predictable sequence:

1
Initial access
The attacker gets a foothold — usually via a phishing email, a compromised password, or an unpatched vulnerability in internet-facing software (like a remote desktop or VPN).
2
Reconnaissance (days to weeks)
The attacker moves quietly through your network, mapping drives, identifying backup systems, stealing credentials, and escalating privileges. You have no idea they are there.
3
Data exfiltration
Before encrypting anything, modern ransomware groups copy patient data out of your network. This gives them a second lever: “Pay or we publish your patients’ records.”
4
Encryption
The ransomware deploys simultaneously across every system it has access to. Files are encrypted in minutes. Backups that are connected to the network are typically encrypted too.
5
Extortion
The ransom note appears. You have a deadline. The attacker has a customer support portal. This is a business to them.

How Attackers Get Into Medical Practices

Understanding the entry points is the most important step toward prevention. The vast majority of ransomware attacks on medical practices use one of three vectors:

1. Phishing Emails

A staff member receives an email that looks like it is from a vendor, insurance company, or colleague. The email contains a link or attachment. Clicking it either installs malware directly or captures login credentials that the attacker uses to gain access. Roughly 70% of ransomware attacks begin with a phishing email.

Medical practice staff are particularly targeted because they regularly receive attachments from unfamiliar senders: patient referrals, lab results, insurance correspondence. Attackers craft emails that mimic exactly these scenarios.

2. Exposed Remote Desktop Protocol (RDP)

Remote Desktop Protocol allows staff or IT vendors to access practice computers remotely. Many practices set up RDP without strong security controls — no MFA, default ports, weak passwords. Attackers scan the internet continuously for exposed RDP ports and brute-force their way in. Once inside via RDP, they have full control of that machine and can move through the network.

If your practice has RDP enabled and exposed directly to the internet without MFA and a VPN, this is one of the highest-risk configurations possible.

3. Unpatched Software Vulnerabilities

Software vulnerabilities are publicly disclosed regularly. When a critical patch is released, attackers immediately begin scanning for systems that have not applied it. Medical practices that run old operating systems (Windows 7, Windows Server 2008) or delay patching — often because updates disrupt clinical workflows — are particularly exposed. Healthcare has the longest average time-to-patch of any regulated industry.

What a Ransomware Attack Actually Costs

The ransom demand is only one line item. Here is the full picture:

Cost CategoryTypical Range (Small Practice)
Ransom payment$50,000 – $500,000
IT recovery & forensics$25,000 – $150,000
Downtime & lost revenue$10,000 – $50,000 per day
HIPAA breach notification$5,000 – $50,000
Legal fees$15,000 – $100,000
OCR fines (if HIPAA violations found)$10,000 – $1,000,000+
Total$200,000 – $2,000,000+
Note: Paying the ransom does not guarantee full data recovery. The FBI advises against paying; many practices that pay still lose data and face HIPAA consequences.

The average downtime for a healthcare ransomware attack is 18 days. For a small practice that cannot see patients or process billing during that time, the financial consequences can be existential.

Your HIPAA Obligations When Ransomware Strikes

Many practice owners assume a ransomware attack is an IT problem, not a HIPAA problem. This is wrong. Under HIPAA, a ransomware attack is presumed to be a reportable breach unless you can demonstrate the data was not accessed or exfiltrated — a very high bar to clear after the fact.

If ransomware encrypts ePHI in your systems, you are likely required to:

Notify affected patients within 60 days of discovering the breach. If more than 500 patients in a state are affected, you must also notify prominent media outlets in that state.

Notify HHS OCR within 60 days. If fewer than 500 patients are affected, you can submit to OCR within 60 days of the end of the calendar year.

Conduct a forensic investigation to determine what was accessed and how, which is required for the breach assessment. This must be documented.

OCR has made clear that practices with weak security controls — no MFA, no encryption, no risk analysis, no backups — face significantly higher penalties when a breach occurs.

The 7 Controls That Stop Most Ransomware Attacks

The good news: the majority of ransomware attacks are preventable with well-known controls. Here are the seven highest-impact steps, in priority order:

1
Enable MFA on everything
Multi-factor authentication stops credential-based attacks cold. Enable it on email, EHR, remote access, and any cloud service. If an attacker gets a staff password but cannot pass MFA, they are locked out.
2
Implement offline or immutable backups
Backups connected to your network will be encrypted along with everything else. You need backups that ransomware cannot reach: cloud backups with immutable storage, offline drives rotated off-site, or a backup system that is isolated from your main network. Test restores quarterly.
3
Patch aggressively and regularly
Critical security patches should be applied within 48–72 hours of release. Operating systems, browsers, and internet-facing applications (VPN, remote desktop gateways) are the highest priority. Retire any system running an unsupported OS.
4
Put RDP behind a VPN with MFA
Remote Desktop should never be exposed directly to the internet. Require staff and vendors to connect through a VPN first (with MFA on the VPN), then use RDP within that encrypted tunnel. This eliminates the most common ransomware entry point for small practices.
5
Deploy endpoint detection and response (EDR)
Traditional antivirus does not catch modern ransomware. EDR solutions monitor behavior in real time and can stop ransomware during its encryption phase — sometimes before any data is lost. Solutions like Microsoft Defender for Business are priced for small organizations.
6
Train staff to recognize phishing
Annual security awareness training is a HIPAA requirement, but annual is not enough to build real habits. Quarterly phishing simulations — where staff receive fake phishing emails and get immediate feedback when they click — measurably reduce click rates over time. This is one of the most cost-effective security investments available.
7
Have a written incident response plan
When ransomware hits, you have hours — not days — to make critical decisions under extreme stress. Who do you call? Do you isolate systems or keep them running? Do you notify OCR now or wait for the investigation? A pre-written incident response plan means you are executing a plan, not improvising. HIPAA requires one.

What to Do If You Are Hit Right Now

If you suspect ransomware is active in your network right now, every minute matters. Here is the immediate sequence:

⚠️ Immediate response steps
1.Disconnect affected systems from the network immediately. Unplug ethernet cables. Turn off Wi-Fi. This stops the spread. Do NOT turn off the computers — forensic evidence may be in RAM.
2.Call your IT provider right now. If you do not have one, call a cybersecurity incident response firm. Do not try to investigate or remediate this yourself.
3.Do not pay the ransom yet. Consult with legal counsel and your IT provider first. Payment may not restore your data, and it may trigger additional legal obligations.
4.Preserve all evidence. Do not wipe or reformat systems. Take photos of ransom notes on screens. Save all logs. You will need this for forensics, insurance, and HIPAA reporting.
5.Notify your cyber insurance carrier. Most policies require prompt notification. Late notification can void coverage.
6.Assume it is a HIPAA breach. Begin your breach response process. You have 60 days from discovery. Start the clock now.

The Honest Bottom Line

Ransomware is not a problem that medical practices can ignore or defer. It is the most common and most financially devastating cyber threat in healthcare, and small practices are actively targeted.

The controls that prevent most attacks are not exotic or expensive. MFA, isolated backups, patching, and staff training — these are achievable for any practice. The gap between “attacked and destroyed” and “attacked and stopped” is almost always whether these basics were in place.

If you do not know whether your practice has these controls in place, that uncertainty is itself a risk that needs to be addressed.

Atlantic Computer Systems
Find out how exposed your practice really is — for free.
Our free 30-minute IT & HIPAA Security Assessment reviews your ransomware defenses, backup strategy, remote access setup, and more. No obligation, no jargon — just a clear picture of where you stand.
Book Your Free Assessment →

Related articles

Partner with Us for Comprehensive IT

We're happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: 1-650-300-7557

Your benefits:

Client-oriented approach
Proven results and reliability
Industry-leading technology
Transparent pricing, no surprises

What happens next?

1We schedule a call at your convenience
2We do a discovery and consulting meeting
3We prepare a proposal tailored to your needs

Schedule a Free Consultation

Fill out the form and we'll be in touch soon.

Request a Quote

Fill out the form below and our team will get back to you within one business day.

Inactive

ACS Client Portal

Quickly request IT services
no login required.

All requests are verified by our team.
Platform partnerships

Inactive

Simplifying IT
for a complex world.
Platform partnerships
Free 30-min IT & HIPAA security assessment