OGC
Act Immediately

Ransomware Attack Response

Our systems are locked — step-by-step ransomware response.

This Is Your Highest-Priority Incident

A ransomware attack affecting systems that contain ePHI is a presumed HIPAA breach. It requires immediate containment, mandatory law enforcement notification, and likely HIPAA breach notification to affected individuals. Every minute matters. Execute these steps now.

Do not pay the ransom. Payment does not guarantee your data will be restored. It funds criminal organizations. It may violate U.S. sanctions laws (some ransomware groups are sanctioned entities). And it does not eliminate your HIPAA breach notification obligations. The FBI and HHS strongly advise against payment.

Step 1: Isolate Affected Systems Immediately

Ransomware spreads across networks. Stop the spread now:

  1. Disconnect affected computers from the network — pull ethernet cables, disable Wi-Fi
  2. Do not shut down affected systems unless absolutely necessary (forensic evidence may be lost)
  3. Isolate network segments — have IT disable access to file shares, network drives, and backup systems if ransomware may have reached them
  4. Disconnect any cloud sync services (OneDrive, Google Drive, Dropbox) that are actively syncing — this can spread encryption to cloud backups
  5. Identify the scope: which machines are affected? Is the ransomware still spreading?

Step 2: Contact Law Enforcement

Report the attack to the FBI (Internet Crime Complaint Center — IC3.gov) and your local FBI field office. This is strongly recommended:

  • The FBI may be able to identify the ransomware strain and provide decryption tools for known variants
  • Law enforcement may have intelligence on the attacker group
  • Reporting creates a record that demonstrates good-faith response
  • The FBI does not arrest organizations for reporting ransomware — they investigate the attackers

Step 3: Engage Your Incident Response Team

If you have a cyber insurance policy, notify your insurer immediately — most policies require prompt notification and provide access to incident response resources. If you don't have internal IT security expertise, engage an external incident response firm. Do not attempt forensic investigation yourself.

Step 4: Assess ePHI Exposure — This Is a Presumed Breach

Under HIPAA, ransomware that encrypts ePHI is presumed to be a breach because it constitutes unauthorized access that compromises the integrity of the data. This presumption can be rebutted only if you can demonstrate a low probability that PHI was accessed or exfiltrated — which requires forensic analysis.

Key questions for the breach risk assessment:

  • What systems were encrypted? Do they contain or have access to ePHI?
  • Is there evidence of data exfiltration before encryption? (Modern ransomware groups often steal data first, then encrypt — they use the threat of publishing stolen data as additional leverage)
  • How many patient records were on affected systems?
  • What types of PHI were involved (diagnoses, SSNs, financial information)?
  • When did the attack begin? What did the attacker have access to during the dwell time before encryption?

Step 5: Breach Notification Obligations

Assuming the breach assessment confirms PHI exposure (which is likely), your notification obligations are:

  • Affected individuals: Written notice within 60 days of discovery
  • HHS OCR: If 500+ individuals are affected in any state, notify HHS within 60 days. If fewer than 500, report annually.
  • Media: If 500+ individuals in a single state are affected, prominent media notice in that state is required
  • Business Associates: Notify any BAs who may have been affected

Step 6: Recovery from Backups

Work with IT on recovery:

  • Verify your backup integrity before attempting restore — confirm backups were not also encrypted
  • Restore from the most recent clean backup (one predating the attack)
  • Before reconnecting restored systems, patch and harden them — fix whatever vulnerability the attackers used to gain entry
  • Rebuild affected systems from scratch rather than restoring if malware may remain
  • Conduct a full security scan on all systems before returning to production

Step 7: Incident Documentation

Document everything with timestamps throughout the response:

  • Date and time attack was discovered
  • Initial scope assessment
  • All containment actions taken and when
  • Law enforcement notifications
  • Forensic investigation findings
  • Breach risk assessment results
  • Breach notification actions
  • Recovery actions and timeline
  • Root cause analysis and corrective actions

After Recovery: Prevent the Next Attack

  • Implement offline, immutable backups (the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite)
  • Enforce MFA on all remote access and email accounts
  • Patch all systems and software promptly — most ransomware exploits known, patchable vulnerabilities
  • Conduct phishing simulation training — phishing email is the #1 ransomware entry vector
  • Implement network segmentation to limit lateral movement
  • Deploy endpoint detection and response (EDR) tools that can detect and stop ransomware early

Related Guides

Act Immediately

Someone Clicked a Suspicious Link

An employee clicked a phishing email — what happens now?

Read Guide
Act Immediately

Did I Just Witness an Incident?

I saw something that might be a breach — what do I do?

Read Guide
Act Immediately

Employee Lost a Device with ePHI Access

An employee lost a laptop or phone that had access to patient data.

Read Guide
Back to all guides