Ransomware Hit on a Thursday.
Patients Back in Chairs on Monday.
A Dallas-area group practice lost access to their imaging server and patient records at 9 p.m. By Monday morning, every operatory was running. Here is what happened.
Anonymization notice: This case study is anonymized and represents a composite of real incident response engagements. Specific details — including the practice name, exact location, staff count, and software versions — have been changed to protect client confidentiality. The technical sequence and outcome metrics reflect real events.
What the Practice Was Up Against
The practice was a 6-operatory group in the Dallas-Fort Worth area — one location, two dentists, and a staff of nine. They had been running Eaglesoft on a Windows Server 2016 box that also served as their imaging server for a CBCT unit and two digital sensor sets. A local NAS device sat on the same network and handled nightly backups.
Their previous IT provider was a small generalist shop that had done reasonable work keeping the day-to-day running. Antivirus was an older consumer-grade product. Backups ran on a schedule but had not been tested with a restore in over a year. There was no endpoint detection and response, no email filtering beyond what Microsoft 365 included by default, and no network segmentation separating clinical workstations from the administrative machines.
On a Thursday evening, a staff member opened a link in what appeared to be a billing-related email. By 9 p.m., ransomware had encrypted the Windows Server, the NAS, and three of the nine workstations. The practice manager discovered the attack when she logged in remotely to pull a report. Every clinical and administrative file — including the entire Eaglesoft database and all imaging data — showed the .locked extension. The ransom note demanded $47,000 in cryptocurrency within 72 hours.
The practice called their previous provider, who told them they should "contact a cybersecurity firm" and did not have an incident response plan on file. They found Siotek through a referral from their dental supply rep at 7:30 Friday morning.
Containment First. Recovery Second.
The first call lasted 45 minutes. Before anything else, the Siotek engineer walked the practice manager through disconnecting the affected machines from the network — pulling ethernet cables, disabling the Wi-Fi switch, and powering down the NAS to prevent the ransomware from propagating further. Three workstations that had not yet been encrypted were confirmed clean and isolated.
The second priority was cyber insurance. The practice had a cyber liability policy they had purchased two years prior and largely forgotten about. Siotek helped them locate the policy documentation, identify the insurer's incident response hotline, and make the initial notification call before 10 a.m. Friday. That call started the clock on their insurer's forensics team and would later be significant for reimbursement eligibility.
The third discovery was the most important one of the entire engagement: the practice had switched backup vendors two months before the attack. Their previous provider had used a local NAS-only backup — which was now encrypted. The new vendor used Azure immutable blob storage with a 30-day retention policy. Because immutable blobs cannot be deleted or modified by any software running on the protected system, the backup from Wednesday night was completely intact. The ransomware had never touched it.
With a known-good backup confirmed, Siotek outlined a two-track recovery plan. Track one: spin up a temporary Windows Server VM in Azure to serve as a replacement imaging server and Eaglesoft host while the physical server underwent forensic imaging. Track two: rebuild the physical server in parallel so the practice could migrate back to on-premises infrastructure once forensics cleared it. The goal was to be operational by Monday morning — three business days out.
Hour by Hour
| When | What Happened |
|---|---|
| Thu 9:00 PM | Ransomware discovered. Server, NAS, and three workstations encrypted. |
| Fri 7:30 AM | Practice contacts Siotek. Initial call begins. |
| Fri 8:15 AM | Network isolation confirmed. Three clean workstations identified. |
| Fri 9:45 AM | Cyber insurance notified. Insurer's IR team engaged. |
| Fri 11:00 AM | Azure immutable backup from Wednesday night confirmed intact. No ransom payment needed. |
| Fri 1:00 PM | Azure VM provisioned. Eaglesoft and imaging software installation begins. |
| Fri 3:30 PM | Practice manager confirms Friday afternoon appointments rescheduled as precaution (3 patients). |
| Fri 5:00 PM | Azure VM running. Backup restore to VM begins. Physical server shipped to forensics lab. |
| Sat–Sun | Full restore validated. Workstations rebuilt. Network segmentation implemented. Staff credentials reset across all systems. Patient notification letter drafted with HIPAA counsel. |
| Mon 7:00 AM | Staff walkthrough of restored environment. All systems green. |
| Mon 8:00 AM | First patient scheduled. Full schedule running. Zero clinical disruption. |
By the Numbers
The practice received a written all-clear from the insurer's forensics team confirming no evidence of data exfiltration. Under HIPAA's breach notification rule, this finding allowed them to pursue a risk assessment-based determination rather than a mandatory full breach notification — a significant difference in terms of regulatory burden and patient communication.
Two weeks after the incident, the practice transitioned back to their rebuilt on-premises server with Huntress EDR/SIEM deployed on all endpoints, Proofpoint email filtering in place, network segmentation separating clinical devices from the guest Wi-Fi and admin machines, and a documented incident response plan on file. Their backup architecture now maintains three copies: a local NAS for fast restore, an Azure immutable copy for ransomware protection, and a monthly offline snapshot.
What Made the Difference
Two months before the attack, this practice had switched backup vendors. That decision — made for entirely unrelated reasons (the old vendor had raised prices) — turned a potential catastrophic data loss into a recoverable incident. The lesson is not that they got lucky. The lesson is that the right backup architecture makes ransomware a nuisance rather than a business-ending event.
The four factors that separated a 4-day recovery from the multi-week or permanent closures we have seen at other practices:
What made things harder than they needed to be: no endpoint detection meant the initial infection vector was not identified until the insurer's forensics team finished their review the following week. Consumer antivirus had not flagged the payload. Huntress EDR, which was installed post-incident, would have detected and isolated the threat before it reached the server. Email filtering would likely have stopped the initial phishing link entirely.
The $47,000 ransom demand was never paid. The full remediation cost — including the Azure infrastructure, forensics, labor, and new security tooling — came in below $15,000 after insurance reimbursement. The practice added Siotek as their managed IT provider the following month.