Skip to main content
All playbooks
Playbook

Ransomware in the middle of a clinic day

EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.

Last reviewed: May 2026

The first hour

  1. 1Stop the spread: unplug network cables and disable Wi-Fi on every affected machine. Do not power them off — memory has evidence.
  2. 2Convert the schedule. Decide now: see today's patients on paper, divert to urgent care, or close the office. The clinical lead owns this call, not IT.
  3. 3Pull the paper downtime forms. Vitals, intake, prescription pad, refusal-of-care language. Most practices have these and have never used them.
  4. 4Call the cyber insurer first, then the MSP, then counsel. The insurer often dictates the IR vendor.
  5. 5Start a written timeline. Every action, every call, every decision, with timestamps. This becomes your OCR documentation.
  6. 6Identify a single spokesperson. The front desk needs one script for patients calling about appointments and refills.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Do NOT reboot or reimage affected machines — RAM contains encryption keys and indicators of compromise IR firms need.
  • Screenshot the ransom note and any attacker contact channel (do not click links).
  • Preserve firewall, VPN, EDR, and EHR audit logs — most have a short retention window.
  • Photograph the physical state of the affected workstations and server rack.
  • Save a copy of every email exchanged with the attacker or insurer in a separate, clean mailbox.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Do we have to notify patients today?+

No. The HIPAA Breach Notification Rule gives you up to 60 days from discovery to notify affected patients, and HHS at the same time if 500+ patients are involved in a jurisdiction. Some states (CA, FL, others) shorten this to 30–45 days. Today's job is containment, evidence preservation, and patient safety — not the notification letter.

Should we pay the ransom?+

Decide with counsel and the insurer in the room. OFAC sanctions some ransomware groups, and payment to a sanctioned entity is a federal violation regardless of intent. The insurer's IR vendor will check the wallet against sanctions lists before any payment is considered.

Can we keep seeing patients?+

Sometimes. If you can verify identities (paper ID + a known patient panel), capture vitals on paper, and prescribe without EPCS-controlled-substance dependencies, a downtime clinic is workable for a half-day. Stop if you can't safely verify allergies or active medications.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.