Ransomware in the middle of a clinic day
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.
The first hour
- 1Stop the spread: unplug network cables and disable Wi-Fi on every affected machine. Do not power them off — memory has evidence.
- 2Convert the schedule. Decide now: see today's patients on paper, divert to urgent care, or close the office. The clinical lead owns this call, not IT.
- 3Pull the paper downtime forms. Vitals, intake, prescription pad, refusal-of-care language. Most practices have these and have never used them.
- 4Call the cyber insurer first, then the MSP, then counsel. The insurer often dictates the IR vendor.
- 5Start a written timeline. Every action, every call, every decision, with timestamps. This becomes your OCR documentation.
- 6Identify a single spokesperson. The front desk needs one script for patients calling about appointments and refills.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Do NOT reboot or reimage affected machines — RAM contains encryption keys and indicators of compromise IR firms need.
- Screenshot the ransom note and any attacker contact channel (do not click links).
- Preserve firewall, VPN, EDR, and EHR audit logs — most have a short retention window.
- Photograph the physical state of the affected workstations and server rack.
- Save a copy of every email exchanged with the attacker or insurer in a separate, clean mailbox.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal (500+ patients = immediate)
- CISA — Report a cyber incident
- FBI IC3 (ransomware reporting)
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Do we have to notify patients today?+
No. The HIPAA Breach Notification Rule gives you up to 60 days from discovery to notify affected patients, and HHS at the same time if 500+ patients are involved in a jurisdiction. Some states (CA, FL, others) shorten this to 30–45 days. Today's job is containment, evidence preservation, and patient safety — not the notification letter.
Should we pay the ransom?+
Decide with counsel and the insurer in the room. OFAC sanctions some ransomware groups, and payment to a sanctioned entity is a federal violation regardless of intent. The insurer's IR vendor will check the wallet against sanctions lists before any payment is considered.
Can we keep seeing patients?+
Sometimes. If you can verify identities (paper ID + a known patient panel), capture vitals on paper, and prescribe without EPCS-controlled-substance dependencies, a downtime clinic is workable for a half-day. Stop if you can't safely verify allergies or active medications.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.