You've just discovered that every file on your server is encrypted. Your EHR is down. Your appointment schedule is gone. There's a ransom note on your screen with a countdown timer and a Bitcoin address. What do you do?
This is a decision that dozens of small healthcare practices face every year — and it's a decision that almost none of them are prepared to make clearly under pressure. The clock is ticking, staff are standing around, patients are showing up for appointments you can't access, and someone is asking whether you want to transfer cryptocurrency to a criminal organization.
Here's everything you need to understand before that moment arrives.
The Official Guidance — and Its Limits
The FBI and CISA are consistent on this: don't pay the ransom. Their reasoning is sound. Paying funds criminal organizations. It doesn't guarantee recovery. And perhaps most importantly, it marks your practice as a paying target — meaning you're more likely to be hit again.
There's also a legal dimension that most practices don't know about. Many ransomware groups operate out of countries under U.S. Treasury OFAC sanctions — Russia, North Korea, Iran. If you pay a ransom to one of those groups, you may be in violation of U.S. sanctions law, even if you had no idea who they were when you paid. The Treasury Department's OFAC has issued advisories making clear that paying ransoms to sanctioned entities carries civil and potentially criminal liability for the victim — not just the attacker.
This is not theoretical. Practices that have paid ransoms have faced follow-up scrutiny from OFAC. A $100,000 ransom payment to the wrong group can create regulatory exposure on top of your breach notification obligations.
The Data Behind "Don't Pay"
Sophos's 2023 State of Ransomware in Healthcare report surveyed 381 healthcare organizations that experienced ransomware attacks. The findings challenge the assumption that paying resolves the problem:
- 46% of organizations that paid the ransom did not recover all of their data
- The average ransom payment in healthcare was $197,000 in 2023
- Average recovery time after paying: 3–4 weeks — roughly the same as not paying
- Healthcare had the highest rate of data encryption (75%) of any sector studied
- Only 22% of healthcare organizations stopped an attack before data was encrypted
There's another dimension that changes the calculation entirely: double extortion. Modern ransomware groups don't just encrypt your files — they exfiltrate them first. That means even if you pay and get a working decryption key, the attackers already have a copy of your patient data. Paying doesn't stop them from publishing it, selling it, or using it for additional extortion later.
Paying the ransom is not recovery. It's buying a decryption key that may or may not work, from criminals who have no obligation to honor the deal — and who already have a copy of your data regardless of what you pay.
When Practices Pay Anyway — and Why
Despite the official guidance and the unfavorable statistics, many healthcare practices do pay. Understanding why helps clarify what the actual decision factors are.
Patient safety. When your EHR is down and you have active patients with complex medication regimens, upcoming surgeries, or chronic care continuity needs, the calculus changes. A mental health practice can't safely manage its caseload from memory. A primary care clinic with immunocompromised patients can't afford three weeks of manual workarounds. The ransom decision is sometimes a patient safety decision, and that's a legitimate consideration.
Cyber insurance coverage. Many cyber liability policies cover ransom payments. When a carrier is paying the ransom — not you — the financial calculus shifts. Carriers often have ransomware negotiators on staff and relationships with groups that can sometimes reduce demands significantly (40–60% is common).
Cost comparison. $100,000 in ransom vs. $400,000 in downtime, recovery labor, forensics, and notification — practices do this math. It's not irrational, even if it's not advisable from a systemic standpoint.
Time pressure. Many groups publish data if payment doesn't arrive within 72 hours. The threat of a public data dump — with patient records searchable online — can feel more urgent than the threat of continued downtime.
But here's the pattern that underlies almost every case where a practice feels they have no choice: they don't have good backups. When you can restore from a clean backup made 24 hours ago, the ransom conversation ends immediately. When you can't, the criminals have leverage they shouldn't have.
The Only Thing That Actually Determines Your Outcome
This is the part of the ransom conversation that almost never gets said plainly enough.
If you have clean, current, tested offsite backups, you don't pay. You restore. Your downtime is days, not weeks. Your data is yours. The attack is an incident, not a catastrophe.
If you don't have reliable backups — or if your backups were also encrypted because they were on the same network — you are negotiating with criminals or losing your data. Those are your options.
The ransom decision is almost always made 6 months before the attack, when someone decided whether or not to implement and test a proper backup strategy. The 72-hour deadline feels like the decision point, but it isn't. By then, the outcome is largely predetermined.
The right question isn't "would I pay the ransom?" The right question is: "If I came in tomorrow and every file was encrypted, could I restore from backup within 48 hours?" If the answer is anything other than a confident yes, that's the gap to fix.
The Real Cost Calculation
The ransom payment, if it happens, is never the whole number. Here's what a realistic breach cost picture looks like for a small to mid-size healthcare practice:
| Cost Item | Typical Range |
|---|---|
| Ransom payment (if paid) | $50,000 – $300,000 |
| Forensics firm (required by most cyber insurers) | $15,000 – $50,000 |
| Downtime: 2–4 weeks lost revenue | $40,000 – $200,000+ |
| Recovery labor (rebuilding systems, restoring data) | $20,000 – $80,000 |
| Patient notification (printing, mailing, call center) | $5,000 – $30,000 |
| HIPAA breach reporting, OCR investigation, legal fees | $10,000 – $100,000+ |
| Patient churn and reputation damage | Hard to quantify, real |
| Real-world example: mid-size dental group | $65K ransom + $312K other = $377K total |
Cyber insurance, when properly scoped and maintained, covers many of these line items. But coverage has limits, deductibles, and exclusions — and premiums have increased significantly as ransomware claims have risen. The economics of good security controls and tested backups compare favorably to the economics of a breach in almost every scenario.
What To Do the Moment You Discover an Attack
If your systems are showing signs of an active ransomware attack — encrypted files, ransom notes, anything you can't explain — here is the sequence that matters:
- Isolate immediately. Disconnect affected systems from the network. Unplug ethernet. Disable Wi-Fi. The goal is to stop the spread before more systems are encrypted. Do not turn off the machines — some forensic evidence lives in RAM and is lost on shutdown.
- Call your IT provider. They need to assess scope, contain the spread, and begin the documentation required for insurance and reporting.
- Call your cyber insurance carrier. Do this before you do almost anything else. Carriers activate incident response teams — forensics, legal, negotiators — and most policies require notification within a specific window. Taking actions before involving your carrier can create coverage complications.
- Contact the FBI. Call 1-800-CALL-FBI or report at ic3.gov. The FBI's ransomware unit sometimes has decryption keys for known groups and can provide intelligence about who you're dealing with. This doesn't cost you anything and it matters.
- Do not pay anything until you've consulted your insurance carrier, a qualified attorney, and checked the OFAC sanctions list. Your carrier almost certainly has people who handle this professionally.
- Document everything. Screenshots of ransom notes, timestamps, which systems are affected, when you first noticed — all of this is required for breach notification, OCR reporting, and insurance claims.
One thing you should not do: Google the ransomware group, send them a test message, or attempt negotiation on your own before your insurer and legal counsel are involved. Amateur negotiation has made outcomes worse in documented cases.
The best time to think through the ransom decision is right now, not at 2am on a Tuesday when your screens are showing countdown timers. The question isn't "would I pay?" — it's "will I be in a position where I have to?" That comes down to backups, incident response planning, and how protected your systems are before anything goes wrong.
If you're not sure where your practice stands on any of those, that's the conversation worth having.