Laura Sánchez is 32 years old and had been working at the same dental clinic for years — a place where she always felt comfortable and safe.
Over time, Laura gradually fell behind on the latest digital threats, trusting that nothing bad would ever happen.
But one morning, which seemed like any other, she received an email from a regular supplier. Without thinking twice, she clicked on the link — unaware that, in doing so, she had just let in the worst intruder her clinic could have imagined: ransomware.
The Fake Technician Who Checks Your Files
Imagine this: one morning, Laura welcomes a technician at the clinic who claims he’s been sent by the owner to check the air conditioning system.
As always, she lets him in, convinced it’s just a routine visit. But this time, it’s different.
Instead of fixing anything, this “technician” starts wandering through the offices, inspecting every filing cabinet and folder containing confidential information: patient records, employee details, phone numbers, bank accounts, medical histories.
One by one, he locks the files with digital padlocks, making sure no one can access them again.
Before leaving, he also makes copies of the most valuable data — information he can later sell on the black market or use for blackmail.
And once he’s done, he walks into the clinic manager’s office to deliver his message:
“If you want access to your own files again, you’ll have to pay a ransom.”
What Exactly Is Ransomware?
If we take the technician’s story into the digital realm, ransomware is that same kind of intruder — only invisible and silent.
Instead of walking through the front door, it sneaks into your clinic via a seemingly harmless email.
This ransomware does exactly what the fake technician did:
-
It moves through all your files,
-
locks them with “digital padlocks”,
-
and leaves them inaccessible to your entire team.
But unlike a conventional thief, ransomware doesn’t need to break any physical locks — it operates inside your IT system, connected through the network and taking advantage of any moment of carelessness.
It usually arrives disguised as a legitimate message from a supplier, a colleague, or even a patient requesting information or sending a document.
The moment someone clicks, its silent work begins:
-
It scans all your data,
-
encrypts everything,
-
and finally displays a message with the threat:
“If you want access again, you’ll have to pay a ransom.”
The ransom is almost always demanded in cryptocurrency — specifically so that the payment can’t be traced.
The Dilemma: To Pay or Not to Pay
When Laura realises she can’t open the files, she alerts the clinic manager. That’s when the most tense moment arrives: deciding whether to pay the ransom in the hope of recovering the data — or to try restoring everything from backup copies (if they exist and actually work).
But here’s one of the most serious problems:
Even if the data can be recovered, there’s no guarantee it wasn’t already stolen.
Cybercriminals can:
-
Sell it on the dark web,
-
Blackmail the clinic or individual patients,
-
Use it for identity fraud.
The damage isn’t just financial. It’s also a matter of reputation and trust.
And it’s precisely that combination — financial pressure, reputational harm, and operational paralysis — that makes paying the ransom such a difficult decision.
It’s one of the biggest dilemmas faced by clinics targeted by ransomware attacks.
Most cybersecurity experts and official organisations recommend not paying, as doing so doesn’t guarantee the attackers will return access to the data — or that they won’t strike again.
Plus, paying fuels the continuation of these criminal networks.
However, in practice, many organisations choose to pay under the pressure of restoring access as quickly as possible and resuming operations.
That’s why having a response plan and up-to-date backups is essential to reduce reliance on this critical decision.
How Many “Laura Sánchez” Are There in Your Clinic?
Laura Sánchez is a fictional character. But if you think about it, every clinic has several “Laura Sánchez” types: dedicated professionals who do their jobs with responsibility and commitment but are unaware of how vulnerable they can be to cybercriminals.
Most employees spend a large part of their workday connected to the internet: browsing, checking with suppliers, shopping, or even scrolling through social media and videos during their breaks. Many do so using the clinic’s computer or their own phone connected to the company’s network.
However, very few invest time in staying up to date on digital risks. Some think it’s a distant problem or believe “these things only happen to others.” Others simply aren’t interested in learning about it. The result: your clinic becomes an easy and profitable target for attackers.
And this is where your role as the clinic manager comes in:
It’s your responsibility to ensure your entire team is informed, trained, and prepared.
Because even the best security technology can fail if the people using it don’t understand how to protect themselves.
Investing in awareness and training isn’t an expense — it’s the best investment to prevent financial losses, reputational damage, and legal trouble.
Real Cases That Prove This Happens Every Day
Here are some recent examples of cyberattacks targeting healthcare facilities:
🔹 United Kingdom (June 2024) – Synnovis/NHS London Provider
A ransomware attack by the Qilin group hit pathology service provider Synnovis, paralyzing labs that served seven NHS hospitals in London: King’s College, Guy’s, St Thomas’, Evelina, and others.
Impact: Nearly 1,600 surgeries and appointments cancelled.
Data stolen: 104 files (~3.7 GB), including patient data and test results.
Estimated cost: Over £32.7M in damages; the ransom demand was around $50M.
It was acknowledged that the attack contributed to a patient’s death due to delayed critical test results.
🔹 Scotland (February 2024) – NHS Dumfries & Galloway
Attack attributed to the Inc Ransom group, which exfiltrated nearly 3 TB of data from NHS Scotland.
Impact: Emails, medical results, and X-rays were published on the dark web.
The board refused to pay, and the attackers released the information.
🔹 United States (February 2024) – Change Healthcare / UnitedHealth
The BlackCat/ALPHV group attacked Change Healthcare (UnitedHealth), compromising around 190 million records.
Ransom paid: $22M in cryptocurrency; a secondary scam occurred using the same data sale.
Impact: Weeks of disruption across numerous hospitals and health centers.
🔹 United States (January 2024) – Frederick Health (Maryland) and a hospital in California
Two cyberattacks on healthcare entities led to the exposure of over 1.1 million patient records, with roughly 480 GB of data leaked.
🔹 United States (August 2024) – McLaren Health Care (Michigan)
An attack on McLaren’s hospital network compromised personal data of over 740,000 individuals, including social security numbers and health insurance details.
🔹 Costa Rica (May 2022) – Caja Costarricense de Seguro Social (CCSS)
Hive/Conti group targeted public healthcare systems, shutting down critical systems, with a ransom demand exceeding $5M.
Labs, consultations, and medical services were interrupted.
More than 9,000 devices and around 800 servers were compromised.
These cases show that size or location doesn’t matter — attacks on healthcare are a real, constant, and increasingly aggressive threat. Each of these incidents:
-
Involved massive ransom demands or indirect financial losses.
-
Compromised millions of patient records.
-
Disrupted daily clinical operations.
-
In some cases, even impacted health outcomes or cost lives.
Final Thoughts
Ransomware isn’t just a technical issue — it’s a daily threat to patient safety, clinical operations, and the very trust that healthcare institutions are built on. These real-world cases are a reminder that no clinic or hospital is too small or too prepared to be targeted.
If you’re part of a healthcare team, the time to act is now.
Investing in cybersecurity awareness and training isn’t optional — it’s essential.
Because the cost of inaction could be far greater than you imagine.
