Why Small Medical Practices Are Prime Targets for Ransomware

When most people think of healthcare cyberattacks, they picture massive hospital breaches making national news. But the reality we see every day at Expert IT Operations is different. Small medical practices with 5 to 50 employees are getting hit at an alarming rate, and most of them never make the headlines.

The reason is straightforward: these practices hold the same protected health information (PHI) that makes healthcare data so valuable on the black market, but they rarely have dedicated IT security staff, current endpoint protection, or tested backup strategies. To a ransomware operator, that combination is irresistible.

A stolen credit card number sells for a few dollars. A complete medical record with Social Security number, insurance details, and health history can fetch $250 or more. That price reflects how hard medical identity theft is to detect and how long it takes to resolve. Patients may not realize their information has been misused until fraudulent claims appear months later.

For a practice with 5,000 patient records, the value of that data to criminals is staggering. And unlike a bank that can freeze an account, you can't change someone's date of birth or medical history.

In our 40+ years supporting medical offices across New Jersey, the attack vectors repeat themselves. Phishing emails disguised as insurance correspondence or EMR vendor notifications remain the top entry point. Staff click a link, enter credentials on a spoofed page, and attackers have a foothold within minutes.

Unpatched systems are the second most common issue. Many small practices run older operating systems because their EMR vendor hasn't certified a newer version. That leaves known vulnerabilities wide open. Remote Desktop Protocol (RDP) exposed directly to the internet, often set up years ago for "convenience," rounds out the top three.

Paying the ransom, which averaged $197,000 for small healthcare organizations in 2024, is only the beginning. Downtime while systems are restored means cancelled appointments and lost revenue. HIPAA breach notification requirements mean legal costs and potential fines. And the reputational damage with patients is hard to quantify but very real.

We've seen practices lose weeks of productivity after an attack. One client came to us after paying a ransom and still not getting all their data back. The attackers provided a decryption key that only partially worked, and the practice had no viable backups to fall back on.

Start with the basics: enforce multi-factor authentication on every account that touches patient data, keep systems patched on a documented schedule, and implement a real backup strategy with offsite copies that get tested regularly. Train your staff on phishing recognition, not once a year but quarterly.

If your practice doesn't have an incident response plan, create one. Know who you're calling, what systems get isolated, and how you'll communicate with patients before an attack happens. The practices that recover fastest are the ones that planned ahead.