What to do when your practice suffers a cybersecurity breach

Rana McSpadden, FACMPE, CHPC, CPC | © MGMA

Cybersecurity might feel like a problem for big hospitals or health systems, but medical practices of every size are now prime targets. Criminals know that smaller organizations often lack the layered defenses and dedicated IT staff that larger institutions can afford, yet they still hold valuable data. Patient records, Social Security numbers, insurance information and even prescription histories fetch high prices on the dark web. That makes physician practices a lucrative target for ransomware, phishing and other attacks that can lock down operations and compromise trust.

The consequences of a breach can be devastating. Beyond the immediate operational disruption — computers frozen, EHRs inaccessible, appointments canceled — practices face potential regulatory penalties, lawsuits, and reputational harm. The Department of Health and Human Services (HHS) has issued fines for failing to encrypt data, for not maintaining backups, and for leaving security gaps unaddressed. The HIPAA Security Rule requires covered entities to implement administrative, physical and technical safeguards. Insurance may offset some costs, but liability carriers often require practices to follow specific response protocols. Patients, too, expect transparency and protection of their most sensitive information.

Despite the high stakes, many practices are unprepared. They may rely on outdated antivirus software, leave security responsibilities entirely to vendors, or assume their EHR provider will handle backups. Staff may fall for phishing emails or fail to recognize suspicious activity. As Rana McSpadden, FACMPE, CHPC, CPC, a medical practice consultant with SVMIC, put it during her MGMA Leaders Conference 2025 session: “Don’t just leave this to your IT people, you need to be involved in this process.”

The good news is that there is a playbook. Cybersecurity experts recommend a four-stage approach to incident response: preparation, detection and analysis, containment and recovery, and post-incident review. Each step involves not just technology but also leadership, communication, and training. Practices that follow this structured process can minimize damage, restore operations faster, and strengthen defenses for the future.

What follows is a roadmap for administrators to follow when a breach occurs; from assembling the right response team, to notifying authorities and patients, to learning from mistakes so the next attack does less harm.

1. Prepare before an attack

Preparation is the most important step. Conduct a security risk analysis to identify vulnerabilities — from unpatched systems to inattentive staff. Work with qualified IT vendors, not “the high school student who plays video games all day,” McSpadden cautioned. Assemble a response team that includes IT, management decision-makers and possibly third-party vendors.

Practices should maintain essential resources: backup hardware, updated antivirus software, and clear incident reporting mechanisms. Tabletop exercises — for example, simulating a ransomware demand after a holiday weekend — help identify weaknesses before a real crisis. Staff training should be ongoing, with refreshers on phishing, password management and data handling.

2. Detect and analyze the breach

When suspicious activity appears, immediately mobilize the response team. Determine the scope — is it one workstation or the entire network? Trace the origin: was it a malicious email link, a firewall weakness or stolen credentials? Practices must also know who to notify. Local police, the FBI and cyber liability insurers may all need to be contacted. The OCR Cyber Attack Checklist lays out federal expectations for initial response steps. In larger disruptions, it may be necessary to alert patients or the public without revealing sensitive details.

3. Contain, eradicate and recover

Once identified, the priority is to stop the spread. Contain the incident to affected systems while preserving evidence. Eradicate the threat by deleting malware, disabling compromised accounts and patching vulnerabilities. Recovery includes restoring systems from reliable backups, applying software updates and requiring password changes across the organization. McSpadden shared a cautionary example of a practice that restored from backups multiple times but failed to remove the root malware, resulting in repeated reinfections.

Practices should also be aware of their federal obligations. The HHS Cybersecurity Incident Response Plan and Ransomware and HIPAA Fact Sheet provide step-by-step guidance for compliance.

4. Debrief and adjust

After operations are restored, conduct a thorough review. What worked well? Where did the process break down? Every incident is different, even if two involve ransomware, so practices must adjust their response plan after each event. Debriefings should lead to updates in policies, procedures and training. Administrators can also consult the HHS Cybersecurity Performance Goals for benchmarks to strengthen defenses.

Building a culture of security

The aftermath of a breach is also a reminder that cybersecurity is not just an IT problem but a leadership responsibility. McSpadden emphasized that administrators must “set the tone at the top” by integrating cybersecurity into business strategy, funding proper defenses and promoting staff awareness.

Health care data remains a prime target for cybercriminals. With preparation, rapid detection, decisive containment and continuous improvement, practice leaders can reduce damage and maintain resilience when the inevitable breach occurs.