Here's a number that should bother you: ransomware attacks on healthcare surged 58% in 2025.

Most people picture ransomware hitting large hospital systems — the kind of attack that makes national news. And those happen. But 26% of healthcare ransomware attacks now hit secondary institutions: dental offices, small medical practices, nursing homes.

In May 2025, a single-location dental office in Washington state — 32 Pearls — was hit with ransomware that compromised over 23,000 patient records. One location. One attack. Names, insurance information, personal identifiers — all exposed.

You don't have to be big to be a target. You just have to have patient data and weak defenses.

What Ransomware Actually Does

Ransomware is malware that encrypts your files — every document, every patient record, every appointment note — and locks you out until you pay. Attackers demand payment (usually in cryptocurrency) for the key to unlock your own data.

For a small practice, the practical impact is:

  • You can't access your scheduling system. No appointments, no records.

  • You can't access patient files. Clinical work stops or becomes dangerously incomplete.

  • You're looking at days or weeks of downtime ‚Äî even after paying or recovering.

The average recovery cost (not counting any ransom paid) is still over $1 million for healthcare organizations. For small practices, costs are lower in absolute terms but devastating relative to size — a week of downtime at a solo practice can cost $10,000-$50,000 in lost revenue alone, plus notification costs if patient data was exposed.

How It Gets In

Ransomware doesn't magically appear. It almost always enters through one of three doors:

  1. A phishing email. Someone on your staff clicks a link or opens an attachment that installs the malware. We covered AI-enhanced phishing in Issue #1 — this is exactly where it leads.

  2. Weak or reused credentials. Attackers log into your remote access tools (remote desktop, VPN, cloud apps) using passwords stolen from other breaches. We covered password managers in Issue #2.

  3. Unpatched software. Old versions of Windows, outdated practice management software, or plugins that haven't been updated in months often have known vulnerabilities attackers actively exploit.

Two of these three doors — phishing and weak passwords — you've already started closing if you've been reading this newsletter.

Three Steps to Take This Week

  1. Turn on automatic updates — and actually let them run.
    Go to Windows Update (Settings > Windows Update) and make sure updates are set to download and install automatically. When your computer asks you to restart to apply updates, don't click "Remind me later" for three weeks. Let it restart. Updates close the doors ransomware walks through.

For your practice management software: check with your vendor about their update process. If your software is more than two major versions behind, ask them directly about your exposure.

  1. Get a real backup — off your main network.
    The only way to recover from ransomware without paying is having a clean backup. That backup needs to be:

  • Recent ‚Äî ideally daily, at minimum weekly

  • Separate ‚Äî not on the same computer or network drive (ransomware encrypts those too)

  • Tested ‚Äî you've actually tried restoring from it at least once

Options: a dedicated external drive kept offline when not in use, or a cloud backup service like Backblaze ($99/year for a single computer). This is the cheapest insurance you can buy.

  1. Know who to call.
    If ransomware hits, you need a response plan — even a one-page one. Write down:

  • Who on your staff is the first call

  • Your IT contact or managed service provider (if you have one)

  • Your cyber insurance carrier (if you have a policy)

  • Your practice management software vendor's emergency line

Having those numbers in a printed document somewhere in the office sounds basic. Most practices don't have it.

Quick Hits

HIPAA requires breach notification. If ransomware encrypts patient data, HIPAA's Breach Notification Rule likely applies — you may be required to notify affected patients and the HHS Office for Civil Rights. The notification window is 60 days from discovery. This is another reason backups matter: recovering quickly reduces breach scope.

Cyber insurance is worth looking into. Premiums for small healthcare practices have come down significantly. A basic policy covering ransomware response, notification costs, and business interruption can run $1,500-$3,000/year. We'll cover how to evaluate cyber insurance in a future issue.

Check your remote access. If anyone at your practice can log in remotely — to your scheduling system, patient records, or anything else — that login needs multi-factor authentication. If someone can log in with just a username and password, that's an open door.

The Bottom Line

Ransomware hitting a dental or medical office isn't a hypothetical anymore. It happened to a practice like yours last year. And the year before.

The good news: most small-practice ransomware attacks succeed because of basic gaps — outdated software, no backups, reused passwords — not because attackers are targeting you specifically. Fix the basics and you drop out of the easy-target pool.

Updates. Backups. Strong passwords. In that order, this week.

Keep reading

© 2026 The Rampart Report.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv