Northline Technologies
Healthcare IT Team · Dec 2, 2025
The first click
A Wednesday afternoon. The front-desk lead opened what looked like a DocuSign request for an insurance renewal. The page asked her to sign into Microsoft 365 to view the document. She did. The credentials, including the SMS code she typed in, went straight to an attacker proxy in Eastern Europe.
Within ninety seconds, the attacker was signed into her mailbox. Within an hour, they had read enough email to know the clinic's banking schedule, the IT provider's name, and the after-hours number to call if they needed remote access. By the time anyone noticed, they had been inside the network for four days.
Four days of quiet movement
Ransomware crews don't encrypt the moment they get in. They explore. They find the file server, the backup target, the EMR database, the network-attached storage in the basement that nobody has logged into in five years.
By Sunday night they had identified everything that mattered, exfiltrated about 40GB of patient records, and disabled the local backup software. Monday morning, at 6:47am — fifteen minutes before the first staff member usually arrived — they pulled the trigger.
Monday morning
Every workstation showed the same wallpaper. The EMR was unreachable. The backup server had a ransom note. The phone system had been re-pointed. The clinic cancelled the day's appointments by 9am, then the week's by Wednesday.
The ransom demand was modest by enterprise standards — $180,000 in cryptocurrency. The clinic didn't pay; they didn't have it. Instead, they began the slow rebuild, with a full PHIPA breach response running in parallel.
"Nobody plans to be the case study. The clinics that aren't are the ones that took the boring controls seriously last quarter."
The six controls that would have stopped it
Phishing-resistant MFA (FIDO2 keys or number-matching) on the front desk account — the proxy attack wouldn't have replayed. See MFA for clinics.
Conditional access blocking sign-ins from outside Canada — the attacker's session would have been denied at the door.
Immutable, off-network backups — the ransomware couldn't have deleted them.
Endpoint detection and response with 24/7 monitoring — the lateral movement would have triggered alerts hours after the first sign-in.
Network segmentation — the EMR server shouldn't have been reachable from a front-desk workstation in the first place.
Quarterly phishing simulation and training — staff who've seen the trick before don't fall for it.
We build all six into every engagement. Start with a free assessment to see which ones your clinic is missing today.
The recovery — and the lesson
The clinic was back to full operations in 17 days. The IPC notification, patient letters, and college reporting took another six weeks. The total cost, including lost revenue, recovery, legal, and credit monitoring for affected patients, ran to roughly $410,000 — more than double the ransom they didn't pay.
Every one of the six controls listed above costs less than a single day of clinic revenue. The math is not subtle.
Key takeaways
- Immutable, off-network backups are the single most important control.
- Phishing simulation pays for itself the first time it works.
- Ransomware crews exfiltrate before they encrypt — assume both happened.
- Conditional access blocking foreign sign-ins is a one-day project that stops most attacks.
- The total cost of a clinic ransomware incident dwarfs the cost of preventing one.