Ransomware Hit Your Practice: First 72 Hours

Chuck Weiselberg
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
12 min read

On February 19, 2026, staff at the University of Mississippi Medical Center showed up to work and found their computers useless. EPIC was down. All 35 outpatient clinics closed statewide. Elective surgeries canceled. Doctors pulled out paper forms they hadn’t touched in years. Mississippi’s only academic medical center — serving one of the nation’s poorest and sickest populations — was brought to its knees by a ransomware attack that experts said could take weeks to months to fully recover from.

UMMC had a dedicated IT department, federal relationships, and an emergency operations plan ready to activate. They still lost everything for days.

This follows a pattern that keeps repeating. Scripps Health in 2021: four weeks of downtime, $113 million in losses, 1.2 million patients’ data compromised. CommonSpirit Health in 2022: 164 facilities across the country disrupted, $160 million in damages. Ardent Health on Thanksgiving 2023: emergency rooms in five states diverting ambulances, the EHR offline for two weeks.

Ransomware attacks increased 58% in 2025 according to GuidePoint Security, making it the most active year ever recorded. Healthcare remains the most targeted sector, accounting for 22% of all disclosed attacks. The average ransom demand in healthcare hovers around $900,000, and the average healthcare data breach now costs $7.42 million. The newer groups — Medusa, Interlock, Play, and Qilin — aren’t just encrypting your files anymore. They’re corrupting backups, damaging systems, and namely targeting clinical systems to maximize pressure to pay.

If it happens to your practice, the next 72 hours determine almost everything: how much damage gets done, whether you can recover without paying, what your legal exposure looks like, and whether OCR treats you as a victim who responded correctly or a negligent group that made everything worse.

Print this page. Save it somewhere that isn’t on your network.

What Ransomware Actually Looks Like Before It Hits

Ransomware rarely announces itself dramatically. More often, it starts with something subtle: a workstation running slow, a file that won’t open, an unusual login at 2 a.m. that nobody noticed.

By the time you see the ransom note, the attackers have usually been inside your network for days or weeks. They’ve already mapped your systems, found your backups, and staged their payload. The data scrambling is the last step, not the first.

This matters because it affects how you respond. You’re not just dealing with an active attack — you’re dealing with the aftermath of a prolonged compromise. A solid risk review process can help identify weak spots before attackers do.

Hours 0-2: Discovery and Immediate Containment

The moment you realize something is wrong, start the clock and record everything.

1. First 15 Minutes — Isolate, Don’t Shut Down

  • Do not turn off affected machines. Counterintuitive, but key: powering down destroys forensic evidence stored in RAM and, in some cases, makes recovery harder. Leave machines running but disconnect them from the network.
  • Physically unplug network cables from affected workstations and servers. If you can’t identify which machines are affected, start disconnecting everything.
  • Disable Wi-Fi at the router level if possible.
  • Take photos of ransom notes and error screens with your phone before doing anything else.

2. Next 45 Minutes — Assess the Spread

  • Network isolation is your goal. Every machine that’s still connected is a machine the ransomware can spread to.
  • Identify your “patient zero” if you can — the first machine that showed symptoms. Don’t touch it. It’s evidence.
  • Check your backups right away. Are they accessible? Are they on a separate, air-gapped system? Or are they on the same network that just got hit? This single answer determines what comes next. At Scripps Health, recovery took four weeks partly because the attack reached connected backup systems.
  • Call your IT provider or managed security service provider (MSSP). If you don’t have one, find one now. This is not the time to troubleshoot yourself.

3. Who to Call in the First 2 Hours

  1. IT/MSSP — your first call, period
  2. Your cyber insurance carrier — call before you engage outside forensic firms; most policies require pre-approval, and many insurers have incident response teams on retainer
  3. Practice owner/leadership — they need to know right away

Hours 2-12: review and notice Decisions

Once you’ve contained the spread as much as possible, shift to review mode.

4. Understand What You’re Dealing With

Work with your IT team to answer these questions:

  • Which systems are affected and which are clean?
  • What data did those systems contain? Does it include ePHI?
  • Are backups intact and recoverable?
  • Can you identify the ransomware variant? (This matters — some variants have known decryption tools available for free)
  • Is there evidence the attackers exfiltrated data before encrypting?

That last question is key. Under HIPAA, data scrambling of your own data by attackers is a security incident. But if attackers also exfiltrated patient data — copied it out before encrypting — that’s almost certainly a reportable breach. And this is now the norm: an estimated 96% of ransomware incidents targeting healthcare in 2025 involved data exfiltration. They steal first, encrypt second, then threaten to publish if you don’t pay. It’s called double extortion, and it’s the default playbook.

5. Document Everything — Your OCR Lifeline

Start a written incident log now and keep it running throughout the response. Date and timestamp every action, every decision, every person you spoke to. This log will matter enormously if OCR investigates. UMMC’s ability to show they activated their Emergency Operations Plan and contacted federal agencies right away worked in their favor.

By hour 6-8, you should have healthcare legal counsel on the phone. They help you navigate the notice decision-making, communicate with regulators under attorney-client privilege, and avoid statements that could create extra liability. This is not optional if ePHI was involved.

Hours 12-24: The Breach notice Decision

HIPAA’s Breach notice Rule requires you to notify affected people, HHS, and in some cases the media within 60 days of discovering a breach. Under OCR’s proposed 2025 Security Rule updates, the timeline for reporting to HHS drops to 72 hours for large breaches.

The clock on that window starts at discovery — not at containment, not at review completion. At discovery.

So by hour 12-24, you need to be working through a formal breach risk review with your legal and rule-keeping team:

  • Was ePHI involved?
  • Was it accessed or exfiltrated, or only encrypted on your own systems?
  • Can you show the data was not actually acquired by the attackers?

Unless you can show with high confidence that ePHI was not acquired, you treat it as a breach.

7. Federal Agencies to Contact

  • FBI — Report to your local FBI field office or online at ic3.gov. The FBI has healthcare-specific resources and may have intelligence on the specific group that hit you. Reporting is free and can open doors to recovery resources you can’t get any other way.
  • CISA — Report at cisa.gov or call 1-888-282-0870. CISA coordinates cross-sector threat intelligence and has published specific advisories on groups targeting healthcare in 2025-2026.
  • State attorneys general — Many states have separate breach notice laws with their own timelines (some as short as 30 days). Your legal counsel handles this, but make sure they’re on it.

Hours 24-48: Recovery Planning and the Ransom Question

By now you have a clearer picture of the damage. This is when you make the hardest decisions.

8. Should You Pay the Ransom?

The FBI, CISA, and HHS all say the same thing: do not pay. Payment doesn’t guarantee you’ll get working decryption keys. It funds criminal operations. It marks you as willing to pay, which invites follow-on attacks. In 2025, just 36% of healthcare providers paid the ransom — down from 61% in 2022, showing the industry is learning.

But healthcare is complicated. When patient care systems are down — when you can’t access records, can’t run equipment, can’t function as a practice — the calculus gets harder. Hospitals have paid ransoms because the alternative was patient harm.

Practical realities before paying anything:

  • Check nomoreransom.org first. This free resource, run by law enforcement agencies globally, has free decryption tools for many ransomware variants. Your variant might already be cracked.
  • If you’re considering payment, your cyber insurance carrier must be involved first. Many policies cover ransom payments under specific conditions.
  • Check OFAC sanctions risk with legal counsel. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) maintains a list of sanctioned groups, including several ransomware groups. Paying a sanctioned group — even unknowingly — can result in civil penalties under strict liability. That means you can be fined even if you didn’t know the group was sanctioned.
  • Do NOT communicate with the attackers using your work email or any system that may still be compromised. If they’re still in your network — and they often are — they can read your internal discussions about whether to pay, what your insurance covers, and what your legal strategy is.
  • Paying does not end your HIPAA duties. If ePHI was accessed or exfiltrated, you still have a reportable breach no matter what of whether you recover your files.

9. Recovery From Clean Backups

If your backups are clean and intact, this is your path forward. This is where the 3-2-1 backup rule earns its reputation:

  • 3 copies of your data
  • 2 different media types (e.g., local disk + cloud, or disk + tape)
  • 1 copy offsite and air-gapped (physically disconnected from your network)

That third copy — the one attackers can’t reach — is the one that saves you. CommonSpirit’s $160 million in damages happened partly because the attack disrupted systems for a full month. groups with tested, air-gapped backups have recovered in days instead of weeks.

Work with IT to:

  • Restore systems on clean hardware (don’t restore onto potentially compromised machines)
  • Verify data accuracy before bringing systems back online
  • Confirm the attack vector is closed before reconnecting to the internet
  • Re-image affected workstations rather than attempting to clean them

10. Activating Paper-Based Downtime steps

If your backups are compromised or recovery will take days, you need paper-based workflows ready to go. UMMC fell back on pen-and-paper charting because they had downtime steps written down. Ardent Health’s hospitals did the same across five states. Your practice should have:

  • Printed medication lists and allergy records for active patients
  • Paper intake and charting forms
  • Manual prescription pads
  • A phone tree for contacting patients with upcoming appointments
  • Paper-based billing steps

These should exist in a binder, printed, in a known location — not stored on the server that just got encrypted.

Hours 48-72: notice Execution and OCR Reporting

If you’ve determined a breach occurred:

11. Execute Your notice Plan

  • person notice must go out no later than 60 days after discovery. For breaches affecting 500+ people in a state, you also notify prominent media outlets in that state.
  • HHS notice goes to the OCR breach portal. For breaches affecting 500+, this must be reported right away. For breaches under 500, you can report annually by March 1.
  • Draft your notice letters now. Legal counsel reviews. They must include what happened, what information was involved, what you’re doing about it, what affected people can do to protect themselves, and your contact information.

12. What NOT to Do

  • Do not discuss the incident publicly or on social media before legal counsel has reviewed your communications strategy.
  • Do not delete or alter any systems or logs while the review is active.
  • Do not communicate with the attackers without your legal team and incident response firm involved.
  • Do not pay a ransom without informing your cyber insurer and checking OFAC sanctions lists first.

After 72 Hours: The Long Recovery

The acute phase ends, but the work doesn’t. Scripps Health’s full recovery took months. CommonSpirit’s financial impact extended well into the following fiscal year. Over 40% of U.S. health systems are predicted to experience a ransomware attack by the end of 2026. Expect the following in the weeks ahead:

  • Forensic review to determine root cause, dwell time, and full data impact
  • rule-based response — OCR may look into; having your incident log and written records in order is everything
  • team notices and retraining on what happened and how to prevent recurrence
  • System hardening based on forensic findings — patching whatever weak spot got exploited
  • Policy and step updates to address gaps the attack exposed — the new Security Rule changes will raise the bar greatly
  • Lessons-learned review — what failed, what held up, what changes permanently

The Printable Ransomware Response Checklist

Cut this out. Tape it to the wall next to your server room door.

Hours 0-2: CONTAIN - [ ] Isolate affected machines (unplug network cables, DO NOT power off) - [ ] Photograph all ransom notes and error screens - [ ] Check backup status — are they air-gapped and intact? - [ ] Call IT provider / MSSP - [ ] Call cyber insurance carrier - [ ] Start written incident log with timestamps

Hours 2-12: ASSESS - [ ] Identify scope — which systems, which data - [ ] Determine if ePHI was involved - [ ] Determine if data was exfiltrated (not just encrypted) - [ ] Engage healthcare legal counsel - [ ] Notify practice leadership

Hours 12-24: REPORT - [ ] Report to FBI (ic3.gov or local field office) - [ ] Report to CISA (1-888-282-0870 or cisa.gov) - [ ] Begin formal breach risk review with legal team - [ ] Identify state AG notice rules

Hours 24-48: DECIDE - [ ] Check nomoreransom.org for free decryption tools - [ ] If considering payment: verify OFAC sanctions rule-keeping with legal counsel - [ ] Make ransom decision with insurance carrier and legal - [ ] Begin recovery from clean, verified backups - [ ] Activate paper-based downtime steps if needed - [ ] Draft breach notice letters

Hours 48-72: NOTIFY - [ ] File HHS OCR breach notice if breach confirmed - [ ] Prepare person notice letters - [ ] Address state AG notice deadlines - [ ] Prepare media statement if 500+ people affected - [ ] Document all actions taken for rule-based record

Need help building your incident response plan before something happens? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services

Keep Reading

All Articles