HackFirstAidMedical
All playbooks
Playbook

Ransomware in the middle of a clinic day

EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.

The first hour

  1. 1Stop the spread: unplug network cables and disable Wi-Fi on every affected machine. Do not power them off — memory has evidence.
  2. 2Convert the schedule. Decide now: see today's patients on paper, divert to urgent care, or close the office. The clinical lead owns this call, not IT.
  3. 3Pull the paper downtime forms. Vitals, intake, prescription pad, refusal-of-care language. Most practices have these and have never used them.
  4. 4Call the cyber insurer first, then the MSP, then counsel. The insurer often dictates the IR vendor.
  5. 5Start a written timeline. Every action, every call, every decision, with timestamps. This becomes your OCR documentation.
  6. 6Identify a single spokesperson. The front desk needs one script for patients calling about appointments and refills.

Frequently asked

Do we have to notify patients today?+

No. The HIPAA Breach Notification Rule gives you up to 60 days from discovery to notify affected patients, and HHS at the same time if 500+ patients are involved in a jurisdiction. Some states (CA, FL, others) shorten this to 30–45 days. Today's job is containment, evidence preservation, and patient safety — not the notification letter.

Should we pay the ransom?+

Decide with counsel and the insurer in the room. OFAC sanctions some ransomware groups, and payment to a sanctioned entity is a federal violation regardless of intent. The insurer's IR vendor will check the wallet against sanctions lists before any payment is considered.

Can we keep seeing patients?+

Sometimes. If you can verify identities (paper ID + a known patient panel), capture vitals on paper, and prescribe without EPCS-controlled-substance dependencies, a downtime clinic is workable for a half-day. Stop if you can't safely verify allergies or active medications.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

Book a call

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.