How a Katy Medical Practice Survived a Ransomware Attack

When ransomware hit a Katy, Texas medical practice on a Friday evening, the practice manager’s first call was to SpaceTown IT. By Monday morning, the practice was fully operational with zero data loss. This is the story of how proper IT preparation turned a potentially business-ending event into a weekend inconvenience.

The Incident

A Katy medical practice with 18 employees and three physicians discovered ransomware encrypting workstations at 6 PM on a Friday. The ransomware had entered through a phishing email clicked by a staff member that afternoon. By the time it was detected, four workstations and one file server were encrypted. The attacker’s ransom demand: $85,000 in cryptocurrency within 72 hours.

Why They Did Not Pay

The practice had engaged SpaceTown IT six months earlier after a colleague’s practice paid $60,000 in ransom. SpaceTown IT had deployed: (1) SentinelOne EDR on all endpoints, (2) Datto SIRIS backup with 5-minute snapshot intervals and local recovery appliance, (3) Offsite cloud backup replication. Because the Datto backup was offsite and the attacker had not reached the backup system, all data was recoverable — no payment required.

The Recovery

SpaceTown IT’s incident response team engaged Friday evening. By Saturday noon: all four encrypted workstations were reimaged using Datto Instant Virtualization running them as VMs from the backup appliance while physical remediation occurred. By Sunday afternoon: all workstations rebuilt and validated. By Monday morning: practice opened fully operational. Total data loss: zero. Total downtime: one afternoon and weekend, with limited Saturday operations. Ransom paid: $0.

What Changed After the Incident

Following the incident, SpaceTown IT implemented additional protections: advanced email security blocking the phishing vector used in the attack, security awareness training with phishing simulation for all staff, network segmentation isolating the EHR server, and MFA on all remote access. The practice has experienced no security incidents in the two years since.

Protect Your Houston Medical Practice

SpaceTown IT provides HIPAA-compliant IT and Datto backup for Houston medical practices. Call (832) 304-9748 or see our medical practice HIPAA services.