Cyber Risk

We've Been Robbed: The Crippling Effects of Ransomware

Every practice is a potential target for a ransomware attack and the cost can be enormous -- there are steps to take to be better protected.

Cyber attackers hide ransomware in innocent looking e-mails with links or attachments. Often, these senders can appear to be individuals from within your own organization. Unaware physicians, other health care professionals, and practice staff click on the link or open the attachment, releasing the malware and infecting the practice’s computer system and everything in it. Out-of-date hardware and software are especially susceptible.

Malware can work in the background for days or months before practices suddenly cannot open or read files, access schedules, transmit electronic prescriptions, and update payroll or accounts receivable. Malware affects every aspect of the practice’s operations and patients’ care.

The Rise of Double and Triple Extortion

Cyber attackers have advanced to double and triple extortion schemes. Double extortion occurs when attackers steal data, demand a ransom, and threaten to leak or sell the data if the organization refuses to pay. Triple extortion takes the scheme
a step further and attackers demand a ransom from the organizational owner of the data and individual data owners, e.g., patients and their family members.

Check Point Technologies Ltd. researchers say, “[The] creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique.”1 Data leaks occurred in 72% of U.S. health care ransomware incidents tracked by HC3 in 2021.2 Double and triple extortion attacks in medical practices continue to rise. Patients’ Social Security
numbers, prescriptions, clinical information, date of birth, family information, and health insurance information may be exposed on the dark web as retribution for not paying the ransom and even after a ransom is paid. In the past year, most attacks
occurred “over weekends and holidays when people are less likely to be watching”3 but ransomware phishing e-mails can trick even the most diligent employee.4

Risk Mitigation Checklist 

MicrosoftTeams-image (33)

Click here to read the full article in the latest issue of our quarterly publication, Risk Advisor.

MICA Members:
How to Report a Cyber Attack or Data Breach
If your medical practice has been the victim of a cybersecurity attack or data breach, time is of the essence. Potential cyber-related claims should be reported as soon as possible.
    • Call MICA at 800-352-0402 Monday – Friday 8:30 a.m. – 5:00 p.m. MST

    • For urgent matters that occur outside of regular business hours, contact Tokio Marine HCC’s breach support team by calling 888-627-8995. Please be prepared to identify yourself as a MICA policyholder and provide a declaration page or coverage form, if available.

The Tokio Marine HCC Claim Department will work with MICA the next business day to collect any additional information regarding the incident. Note: MICA policyholders may bear any costs associated with the claim until coverage is verified.

1 Check Point Technologies Ltd. (2021). The new ransomware threat: Triple extortion. (1) New Message! (

2 U.S. Department of Health and Human Services Office of Information Security. (2021). Ransomware trends 2021. Title ( at p9

3 Check Point Technologies Ltd. (2021)

4 Id.

5 Volynkin, A. Morales, J., and Horneman, A. (2017). Ransomware: Best practices for prevention and response. Carnegie Mellon University, Software Engineering Institute, SEI Blog. (Accessed Jul 29, 2021)

The content of this publication or presentation is intended for educational purposes only; is not an official position statement of Mutual Insurance Company of Arizona (MICA); and should not be considered or relied upon as professional, medical, or legal advice or as a substitute for your professional judgment. Consult your attorney about your individual situation and the applicable laws. The authors, presenters, and editors made a reasonable effort to ensure the accuracy of the information at the time of publication or presentation but do not warrant or guarantee accuracy, completeness, or currency of such information. As medical and legal information is constantly changing and evolving, check for updated information and consult your attorney before making decisions.

Similar posts

Subscribe to Our Monthly Newsletter, MICA Insider 

Sign up to receive new articles, free resources, and industry updates relevant to running an independent medical practice.