Digital setting of a medical clinic with secured files and protected connections, symbolising cybersecurity in healthcare.
Photo of avatarBy Cris Digital
Imagine waking up one day and finding you’ve lost access to everything that keeps your work running: internal protocols, contracts, confidential files—even your team’s data. That’s exactly what happened to the US company Inotiv a few weeks ago, after a ransomware attack on the pharmaceutical firm was detected on 8 August 2025 and made public on 20 August. It’s not just locked systems or encrypted files — that alone is serious — but over 160,000 sensitive documents were stolen. Documents that were literally the operational backbone of the company.
The attack was carried out by the Qilin group, one of those names increasingly on the radar in healthcare cybersecurity. And do you know the most alarming part? Even though this happened in a large pharma company on the other side of the world, its lesson hits very close to home. Because it wasn’t the size of the company that mattered—it was something far more common: a technical flaw, a misconfiguration… and the door was left ajar. And once that happens, what’s inside is no longer yours.
What do we actually know about the ransomware attack on Inotiv?
The ransomware struck Inotiv on 8 August 2025, but the world didn’t find out until nearly two weeks later, when the company formally notified the SEC (U.S. Securities and Exchange Commission) on 20 August. During those twelve silent days, the firm rallied its internal teams and external experts to contain the threat, assess the damage, and craft a mistake‑free public response.
What they uncovered was far from trivial: the Qilin group not only encrypted systems, but also exfiltrated some 176 GB of critical data—roughly 162,000 files—including contracts, lab protocols, employee data, and documents that revealed, unfiltered, how operations ran behind the scenes. A surgical-level exposure that doesn’t just strike at technology, but at the very trust on which relationships in healthcare are built.
Potential scams using the stolen documents
Now imagine this: attackers don’t just have files, they have real contracts, legitimate purchase orders, invoices with authentic logos, even internal templates with digital signatures. They don’t need to forge anything. They can just copy, paste and send. The result? Frauds so well crafted they could fool anyone.
Pharmacy or wholesaler scam
Picture a pharmacy or distributor receiving what appears to be a legitimate invoice. Same layout, numbering, data… everything identical — except for one critical detail: the bank account for the transfer now belongs to the criminals, not the pharma company.
Clinic or hospital scam
Another typical play: attackers contact clinics or hospitals with a seemingly routine email—“a new contract?”, “a price update?”, “a restocking request?” If it comes with a real document—complete with official headers, internal data and a familiar tone—the deceit slips through unnoticed, even among seasoned professionals.
Phishing disguised as official communication
And of course, there’s phishing with an impeccable appearance. When attackers have access to genuine emails, signatures, templates and internal communication styles, creating a believable message is no longer a matter of skill… it’s just a matter of time.
When attackers hold real documents, each stolen item becomes a perfect disguise. And the more believable the disguise, the easier it is for someone to let their guard down.
Where did things go wrong in the Inotiv attack?
The only confirmed fact so far: an unauthorised actor accessed Inotiv’s systems and encrypted part of their infrastructure. After notifying the SEC, the company activated its continuity strategy, resorted to offline processes, and restricted access across internal areas to prevent further spread.
But the how remains unknown. We don’t know whether it was phishing, an open vulnerability or stolen credentials that opened the door. Nor is it clear whether the partial encryption resulted from luck or because their networks were properly segmented. We know there were disruptions to internal systems, networks and critical applications—but we don’t know exactly what failed.
While investigations continue, any healthcare organisation should ask itself:
Are your critical systems sufficiently isolated so that even a partial compromise doesn’t bring everything down?
Thinking “this couldn’t happen to my clinic” is the vulnerability attackers exploit most.
When we hear that a big pharmaceutical company has been attacked, we often think: “that’s far from my reality.” But what occurred there is just a large-scale version of what can happen in a much smaller clinic. The difference lies in budget and volume, not in the value of the information.
In clinics, data is even more sensitive. Think of patient records, lab reports, radiographs, insurance billing, patient contact details… All of that is extremely valuable to anyone who knows how to exploit it. And often, that value is more exposed—because resources to protect it are fewer and the day-to-day urgency leaves little room to think about cybersecurity.
If Inotiv had systems encrypted and contracts stolen, then for a clinic the equivalent could be:
- Patient records
- Diagnostic reports
- Emails with suppliers
- Billing systems
And in the wrong hands, the frauds, scams and blackmail scenarios we described earlier could just as easily play out… only this time, the impact would be felt by you, your team, and your patients.
Three questions worth asking yourself today
- What type of clinical information would be most valuable to an attacker if they breached your systems?
- Do you know which systems would keep running if you had to shut everything down due to an incident?
- Does someone on your team know how to respond if a document with a familiar-looking logo turns out to be fake?
If any of these answers raise doubts… now’s the perfect moment to act. Calmly, but don’t leave it for later.
How you can protect your clinic from a ransomware attack like this
When we talk about ransomware, we’re not dealing with cybersecurity concepts distant from your clinic. We’re talking about something far more tangible: understanding what basic steps can make a difference in your clinic’s day-to-day.
- Passwords: the most basic lock
Let’s start with the simplest. If you’re still using default or weak passwords like “admin123”… that’s an open door. It’s not about making it complicated, but using unique passwords for each access, and always adding a second factor where possible—like a code to your mobile. - Updates: not just whims
Often people think: “if it works, better not touch it.” But those updates that pop up from time to time are there for a reason: they fix issues attackers already know about and are trying to exploit. If you don’t install them, you’re just leaving them open. - Backups: isolated, not just stored
Making copies is important, yes. But having a backup offline, disconnected from the network, is what really matters. Because if ransomware gets in and the backups are in the same system… they get encrypted too. An isolated backup may seem minor, but it’s what lets you start over without paying or negotiating. - Training: it’s not all on IT
Not everyone needs to be an expert, but staff should know how to spot a suspicious email, a dodgy file, or when to raise the alarm. In many clinics, the first wrong click doesn’t come from the tech team, but from someone at reception or in admin. And all it takes is one click for everything to start.
Digital sterilisation: to prevent infection from cyber‑attack
Protecting your clinic against ransomware is a lot like sterilising instruments before a procedure. It may sound over the top… until a day comes when you don’t. No one reuses equipment without sterilising because the risk is obvious. Cybersecurity is just the same: passwords, backups, updates… they’re your invisible sterilisation, unnoticed but essential to prevent digital infections with real consequences.
The NIS2 Directive isn’t random: the European Commission officially recognises the risk to clinics and hospitals
Inotiv’s case is a warning. Not just for pharmaceutical firms, but for any healthcare facility. Your data is valuable, too. And the NIS2 Directive, in force since 2023, makes it clear: if you’re a clinic in Europe, you must train your staff, strengthen your systems, and follow protocols, just like you follow clinical hygiene standards.
Because a digital infection can equally paralyse your operations, put patients at risk, and damage your reputation.
And if there’s one thing you’d like to hang on to from all of this, let it be this:
Cybersecurity isn’t a luxury. It’s an invisible routine that only becomes visible when it’s missing.
Lock the doors well. And the ports, too. Cyber-protect yourself.
If you’d like to know how lacking staff training could affect your clinic’s ability to prevent attacks, I warmly recommend reading the next article on my blog.
