July 18, 2025
This is the story of what happens when
the worst happens—and how one administrator turned a crisis into a catalyst for
change.
In March, a 96-bed nursing facility in
Northwest Ohio was hit with ransomware. An employee opened a phishing email
that appeared to be a vendor invoice. Within hours, their EMR system, staff
scheduling software, and internal Wi-Fi were encrypted. The attackers demanded
$150,000 in bitcoin.
Fortunately, the facility had recently
completed a tabletop drill that included verification of their backup systems.
As part of that exercise, IT confirmed that backups were not only present but
fully operational and routinely tested. This one step—verifying and confirming
clean backups—proved to be the key to their recovery. It gave the leadership
team confidence to respond without panic and refuse to pay the ransom.
Here's how the facility responded:
- The administrator activated
their Incident Response Plan.
- IT isolated infected systems
and verified that backup files were clean.
- A crisis communication team
notified families and the ODH.
- The team refused to pay the
ransom and began restoring data from backups.
According to McKnight's LTC News, 1 in
3 healthcare providers hit by ransomware experience permanent data loss. But
this facility had practiced a tabletop drill just two months earlier. Roles
were clear. No one panicked.
"You
don't rise to the occasion; you fall to your level of training." - Atul Gawande
Still, it wasn't easy. Payroll was
delayed. Staff logged meds by hand for two days. But they stayed calm. By day
five, systems were restored.
Compare that to another Ohio facility
that had no plan. After a similar breach, they paid the ransom—and still lost
access. Regulators were notified late, and the facility faced citations, family
lawsuits, and a reputation crisis.
"Bad
news doesn't get better with time." - Jim Collins
This case is a reminder: it's not about
avoiding every threat—it's about being ready to respond.
What would your staff do if this happened
next week?
