Background
A multi-physician outpatient clinic in the San Juan metro area had grown significantly over a three-year period, expanding from a single location to two sites with a combined team of 35, including physicians, nurses, administrative staff, and billing coordinators. The expansion had moved quickly, and while the clinical side of the practice scaled smoothly, the IT infrastructure had not kept pace.
Patient records, scheduling systems, billing platforms, and internal communications all ran across a shared network that had never been formally segmented or audited for security vulnerabilities. Remote desktop access, set up during the COVID-19 period to allow staff to work from home, had never been properly secured or reviewed since. Default credentials on several remote access points had never been changed.
The clinic had HIPAA compliance documentation on file. But documentation and actual security posture are two very different things.
Challenge
At 2:17 AM on a Friday morning, ransomware began encrypting files across the clinic’s network.
The attackers had gained entry weeks earlier through an unpatched Remote Desktop Protocol (RDP) vulnerability, one of the most commonly exploited entry points for ransomware groups targeting healthcare organizations. After establishing access, they moved quietly through the network, escalating privileges, identifying backup systems, and mapping the full environment. When they finally triggered the ransomware deployment, they did so simultaneously across both clinic locations to maximize disruption.
By the time the first staff member arrived at 7:45 AM, every workstation was locked. The patient scheduling system showed only a black screen. The electronic health records platform was inaccessible. The billing system was down. And on every monitor, the same ransom note: $85,000 in Bitcoin, within 72 hours, or all data would be permanently destroyed.
Staff members began calling patients to cancel the day’s appointments. Physicians had no access to patient histories. The clinic’s administrator, panicked and unsure whether their data was already gone, called Armour 360 at 8:02 AM.
Action
Armour Cybersecurity’s incident response team was engaged within minutes of the call. Our first priority was containment, preventing the ransomware from spreading further across any unaffected systems or reaching connected third-party platforms.
We remotely isolated the affected network segments within the first 30 minutes, cutting off the ransomware’s ability to continue encrypting files or communicating with the attackers’ command-and-control infrastructure. A forensic investigation was launched in parallel to determine the attack’s origin, timeline, and scope.
Over the next several hours, our team:
- Confirmed the RDP exploitation vector and identified the specific vulnerability used to gain initial access
- Assessed the integrity of the clinic’s backup systems, critically, Armour Cybersecurity had previously worked with the clinic to establish clean, air-gapped backups that the attackers had been unable to reach
- Began restoration procedures from the most recent clean backup set, prioritizing patient records and scheduling systems first
- Conducted a HIPAA breach assessment in parallel, working with the clinic’s administrator to document the incident, evaluate whether Protected Health Information (PHI) had been exfiltrated, and prepare appropriate notification documentation
- Patched the RDP vulnerability that had served as the entry point and disabled all remote desktop access pending a full security review
- Implemented network segmentation between the two clinic locations to prevent any future lateral movement across sites
- Replaced default credentials on every networked device across both locations
The team worked through the weekend without interruption. Physicians were provided with limited read-only access to critical patient records within 18 hours to allow urgent care to continue. Full system restoration was completed by Sunday afternoon.
Impact
- Full operations restored in 61 hours — no ransom paid
- Zero patient data confirmed exfiltrated — forensic investigation found no evidence of data leaving the network
- HIPAA breach assessment completed — documented as contained, no mandatory breach notification required
- Critical RDP vulnerability patched and all remote access secured
- Network segmentation implemented across both clinic locations
- Air-gapped backup strategy validated — the pre-established backup protocol was the single most important factor in avoiding ransom payment
- Ongoing 24/7 vulnerability scanning and threat monitoring now active across both sites
Conclusion
The $85,000 ransom demand was never paid. Not because the attackers backed down, but because Armour had already done the work to make paying unnecessary.
The backup infrastructure that made recovery possible wasn’t set up in response to this attack. It was set up before it. That’s the difference between reactive cybersecurity and proactive cybersecurity, and in this case, that difference was worth $85,000 in ransom, an unknowable amount in potential HIPAA fines, and the trust of hundreds of patients whose records could have been exposed or held hostage.
Healthcare is one of the most targeted sectors for ransomware globally, precisely because the stakes are so high and the infrastructure is so often underprepared. This clinic is now one of the best-protected outpatient practices in their region, with continuous monitoring, tested recovery procedures, and a team that knows exactly what to do if it ever happens again.